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-Abstract- 

Partial order reduction (POR) and net unfoldings are two alternative methods to tackle state- 
space explosion caused by concurrency. In this paper, we propose the combination of both 
approaches in an effort to combine their strengths. We first define, for an abstract execution 
model, unfolding semantics parameterized over an arbitrary independence relation. Based on 
it, our main contribution is a novel stateless POR algorithm that explores at most one execu¬ 
tion per Mazurkiewicz trace, and in general, can explore exponentially fewer, thus achieving a 
form of super-optimality. Furthermore, ora unfolding-based POR copes with non-terminating 
executions and incorporates state-caching. Over benchmarks with busy-waits, among others, 
our experiments show a dramatic reduction in the number of executions when compared to a 
state-of-the-art DPOR. 
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[T] Introduction 

Efficient exploration of the state space of a concurrent system is a fundamental problem in au¬ 
tomated verification. Concurrent actions often interleave in intractably many ways, quickly 
populating the state space with many equivalent but unequal states. Existing approaches to 
address this can essentially be classified as either partial-order reduction techniques (PORs) 
or unfolding methods. 

POR methods [18,7,6,8,20,19,2,1] conceptually exploit the fact that executing certain 
transitions can be postponed owing to their result being independent of the execution se¬ 
quence taken in their stead. They execute a provably-sufficient subset of transitions enabled 
at every state, computed either statically [18,7] or dynamically [6,2]. The latter methods, 
referred as dynamic PORs (DPORs), are often stateless (i.e., they only store one execu¬ 
tion in memory) and constitute the most promising algorithms of the family. By contrast, 
unfolding approaches [14, 5,3,10] model execution by partial orders, bound together by a 
conflict relation. They construct finite, complete prefixes by a saturation procedure, and 
cope with non-terminating executions using cutoff events [5,3]. 

While a POR can employ arbitrarily sophisticated decision procedures to choose a suf¬ 
ficient subset of transitions to fire, in most cases [7, 6, 8, 20,19, 2,1] the commutativity of 
transitions is the enabling mechanism underlying the chosen procedure. Commutativity, 
or independence, is thus a mechanism and not necessarily an irreplaceable component of a 
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POR [18,9].^ PORs that exploit such commutativity conceptually establish an equivalence 
relation on the sequential executions of the system and explore at least one representative 
of each class, thus discarding equivalent executions. In this work we restrict our attention 
to exclusively PORs that exploit commutativity. 

Despite impressive advances in the field, both unfoldings and PORs have shortcomings. 
We now give six of them. Current unfolding algorithms (1) need to solve an NP-complete 
problem when adding events to the unfolding [14], which seriously limits the performance 
of existing unfolders as the structure grows. They are also (2) inherently stateful, i.e., they 
cannot selectively discard visited events from memory, quickly running out of it. PORs, 
on the other hand, explore Mazurkiewicz traces [13], which (3) often outnumber the events 
in the corresponding unfolding by an exponential factor (e.g.. Fig. 2 (d) gives an unfolding 
with 2n events and 0(2^) traces). Furthermore, DPORs often (4) explore the same states 
repeatedly [19], and combining them with stateful search, although achieved for non-optimal 
DPOR [19,20], is difficult because of the dynamic nature of DPOR [20]. More on this 
in Example 1. The same holds when extending DPORs to (5) cope with non-terminating 
executions (note that a solution to (4) does not necessarily solve (5)). Lastly, (6) existing 
stateless PORs do not exploit additional available memory (RAM) for any other purpose. 

Either readily available solutions or promising directions to address these six problems 
can be found in, respectively, the opposite approach. PORs inexpensively add events to the 
current execution, contrary to unfoldings (1). They easily discard events from memory when 
backtracking, which addresses (2). On the other hand, while PORs explore Mazurkiewicz 
traces {maximal configurations), unfoldings explore events {local configurations), thus ad¬ 
dressing (3). Explorations of repeated states and pruning of non-terminating executions is 
elegantly achieved in unfoldings by means of cutoff events. This solves (4) and (5). 

Some of these solutions indeed seem, at present, incompatible with each other. We do 
not mean that the combination of POR and unfoldings immediately addresses the above 
problems. However, since both unfoldings and PORs share many fundamental similarities, 
tackling these problems in a unified framework is likely to shed light on them. 

This paper lays out a DPOR algorithm on top of an unfolding structure. Our main result 
is a novel stateless, optimal DPOR that explores at most once every Mazurkiewicz trace, 
and often many fewer owing to cutoff events (cutoffs stop traces that could later branch into 
multiple traces). It also copes with non-terminating systems and exploits all available RAM 
with a cache memory of events, speeding up revisiting events. This provides a solution to 
(4), (5), (6), and a partial solution to (3). Our algorithm can alternatively be viewed as a 
stateless unfolding exploration, partially addressing (1) and (2). 

Our result reveals DPORs as algorithms exploring an object that has richer structure 
than a plain directed graph. Specifically, unfoldings provide a solid notion of event across 
multiple executions, and a clear notion of conflict. Our algorithm indirectly maps important 
POR notions to concepts in unfolding theory. 

► Example 1. We illustrate problems (3), (4), and (5), and show how our DPOR deals with 
them. The following code is the skeleton of a producer-consumer program. Two concurrent 
producers write in, resp., bufl and buf2. The consumer access the buffers in sequence. 


^ Though it is a very popular one, all PORs based on persistent sets [7], for instance, are based on 
commutativity. 
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while (1): 
lock(ml) 

if (bufl < MAX): bufl++ 
unlock(ml) 


while (1): 
lock(m2) 

if (buf2 < MAX): buf2++ 
unlock(m2) 


while (1): 
lock (ml) 

if (bufl > MIN): bufl— 
unlock(ml) 

// same for m2, buf2 


Lock and unlock operations on both mutexes ml and m2 create many Mazurkiewicz traces. 
However, most of them have isomorphic suffixes, e.g., producing two items in bufl and 
consuming one reaches the same state as only producing one. After the common state, both 
traces explore identical behaviours and only one needs to be explored. We use cutoff events, 
inherited from unfolding theory [5,3], to dynamically stop the first trace and continue only 
with the second. This addresses (4) and (5), and partially deals with (3). Observe that 
cutoff events are a form of semantic pruning, in contrast to the syntactic pruning introduced 
by, e.g., bounding the depth of loops, a common technique for coping with non-terminating 
executions in DPOR. With cutoffs, the exploration can build unreachability proofs, while 
depth bounding renders DPOR incomplete, i.e., it can only find bugs. 


Our first step is to formulate PORs and unfoldings in the same framework. PORs are 
often presented for abstract execution models, while unfoldings have mostly been considered 
for Petri nets, where the definition is entangled with the syntax of the net. We make a second 
contribution here. We define, for a general execution model, event structure semantics [16] 
parametric on a given independence relation. 

Section 2 sets up basic notions and § 3 presents our parametric event-structure semantics. 
In § 4 we introduce our DPOR, § 5 improves it with cutoff detection and discusses event 
caching. Experimental results are in § 6 and related work in § 7. We conclude in § 8. All 
lemmas cited along the paper and proofs of all stated results can be found in the appendixes. 


\~ 2 ] Execution Model and Partial Order Reductions 

We set up notation and recall general notions about PORs. We consider an abstract model 
of (concurrent) computation. A system is a tuple M := {T,,T,s) formed by a set E of global 
states, a set T of transitions and some initial global state s e S. Each transition t:S -> S 
in T is a partial function accounting for how the occurrence of t transforms the state of M. 

A transition t eT is enabled at a state s if t{s) is defined. Such t can fire at s, producing 
a new state s' := t{s). We let enabl{s) denote the set of transitions enabled at s. The 
interleaving semantics of M is the directed, edge-labelled graph Sm '■= (S, s) where S are 
the global states, s is the initial state and -*■ £ SxTxS contains a triple (s, t,s'), denoted by 
s —i- s', iff t is enabled at s and s' = t{s). Given two states s,s' e S, and a := ti.t 2 .. .tn^T* 
{ti concatenated with t 2 , ■ ■ .until ffi), we denote by s s' the fact that there exist states 
si,..., Sn-i e S such that s si, ..., s„_i s'. 

A run (or interleaving, or execution) of M is any sequence a ^ T* such that s ^ s for 
some s 6 S. We denote by state{a) the state s that a reaches, and by runs{M) the set of runs 
of M, also referred to as the interleaving space. A state s e S is reachable if s = state{a) for 
some (T 6 runs{M); it is a deadlock if enabl{s) = 0, and in that case a is called deadlocking. 
We let reach{M) denote the set of reachable states in M. For the rest of the paper, we fix 
a system M := (S,T, s) and assume that reach{M) is finite. 

The core idea behind PORs^ is that certain transitions can be seen as commutative 
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operators, i.e., changing their order of occurrence does not change the result. Given two 
transitions e T and one state s e S, we say that commute at s iff 
B if t € enabl(s) and s \ s', then t' e enabl{s) iff t' e enables')] and 

H if t,t' € enabl{s), then there is a state s' such that s s' and s s'. 

For instance, the lock operations on ml and m2 (Example 1), commute on every state, as they 
update different variables. Commutativity of transitions at states identifies an equivalence 
relation on the set runs{M). Two runs cr and a' of the same length are equivalent, written 
a = a', if they are the same sequence modulo swapping commutative transitions. Thus 
equivalent runs reach the same state. FOR methods explore a fragment of Sm that contains 
at least one run in the equivalence class of each run that reaches each deadlock state. This is 
achieved by means of a so-called selective search [7]. Since employing commutativity can be 
expensive, PORs often use independence relations, i.e., sound under-approximations of the 
commutativity relation. In this work, partially to simplify presentation, we use unconditional 
independence. 

Formally, an unconditional independence relation on M is any symmetric and irrefiexive 
relation O xT such that if t O t', then t and t' commute at every state s 6 reach{M). If 
t,t' are not independent according to O, then they are dependent, denoted hy t ^ t'. 

Unconditional independence identifies an equivalence relation on the set runs{M). 
Formally, is defined as the transitive closure of the relation which in turn is defined 
as tr a' iff there is fTi,fT 2 s T* such that a = ai.t.t'.a 2 , cr' = ai.t'.t.a 2 , and t O t'. From 
the properties of O, one can immediately see that e^ refines e, i.e., if cr e^ a' , then cr e a' . 

Given a run cr e runs{M), the equivalence class of e^ to which cr belongs is called the 
Mazurkiewicz trace of cr [13], denoted by 7<>,cr- Each trace Tq^o- can equivalently be seen 
as a labelled partial order T’o,cr, traditionally called the dependence graph (see [13] for a 
formalization), satisfying that a run belongs to the trace iff it is a linearization of T>o,cr- 

Sleep sets [7] are another method for state-space reduction. Unlike selective exploration, 
they prune successors by looking at the past of the exploration, not the future. 

Parametric Partial Order Semantics 

An unfolding is, conceptually, a tree-like structure of partial orders. In this section, given an 
independence relation O (our parameter) and a system M, we define an unfolding semantics 
hlM,o with the following property: each constituent partial order of Um,o will correspond to 
one dependence graph T’o.o-, for some cr e runs{M). For the rest of this paper, let O be an 
arbitrary unconditional independence relation on M. We use prime event structures [16], a 
non-sequential, event-based model of concurrency, to define the unfolding Um,o of 

► Definition 2 (LES). Given a set A, an A-labelled event structure (A-LES, or LES in short) 
is a tuple £ ■= (E,<, h) where if is a set of events, < £ if x if is a strict partial order on E, 
called causality relation, h-E ^ A labels every event with an element of A, and ^ £ E x E 
is the symmetric, irrefiexive conflict relation, satisfying 

H for all e 6 if, {e' € E:e' < e} is finite, and (1) 

H for all e, e', e" e if, if e # e' and e! < e", then e # e". (2) 

The causes of an event e € if are the set [e] := {e' 6 if:e' < e} of events that need to 
happen before e for e to happen. A configuration of £ is any finite set C Q E satisfying: 

H (causally closed) for all e e C we have [e] £ C; (3) 

H (conflict free) for all e, e' € C, it holds that -ic # e'. (4) 
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Intuitively, configurations represent partially-ordered executions. In particular, the local 
configuration of e is the £-minimal configuration that contains e, i.e. [e] := [e] u {e}. We 
denote by conf{£) the set of configurations of £. Two events e,e' are in immediate eonflict, 
e e', iff e # e' and both [e] u [e'] and [e] u [e'] are configurations. Lastly, given two LESs 
£ ■■= {E,<,ff,h) and £' ■■= (E', h'), we say that f is a prefix of £', written £ < £', when 

E £ E', < and ff are the projections of <' and ff' to E, and E 3 {e' e E': e' < e A e e E}. 

Our semantics will unroll the system M into a LES Um,o whose events are labelled 
by transitions of M. Each configuration of Um,o will correspond to the dependence graph 
'Eo.o- of some cr € runs{M). For a LES {E,<,ff,h), we define the interleavings of C as 
inter{C) := {/i(ei),..., h(e„): Ci, Cj € C A Ci < e^- i<j}- Although for arbitrary LES 

inter(C) may contain sequences not in runs{M), the definition of Um,o will ensure that 
inter{C) £ runs{M). Additionally, since all sequences in inter{C) belong to the same trace, 
all of them reach the same state. Abusing the notation, we define state{C) := state{a) if 
a € inter{C). The definition is neither well-given nor unique for arbitrary LES, but will be 
so for the unfolding. 

We now define Um,o- Each event will be inductively identified by a canonical name of the 
form e := {t, El), where t e T is a transition of M and E[ a configuration of Um,o- Intuitively, 
e represents the occurrence of t after the history (or the causes) E[ := [e]. The definition will 
be inductive. The base case inserts into the unfolding a special bottom event 1 on which 
every event causally depends. The inductive case iteratively extends the unfolding with one 
event. We define the set of candidate histories for a transition t in an LES £ as the 

set which contains exactly all configurations H of £ such that 
B transition t is enabled at state{E[), and 

H either iL = {l} or all <-maximal events e in H satisfy that h{e) <S> t, 
where h is the labelling function in £. Once an event e has been inserted into the unfolding, 
its associated transition h{e) may be dependent with h{e') for some e' already present and 
outside the history of e. Since the order of occurrence of e and e' matters, we need to pre¬ 
vent their occurrence within the same configuration, as configurations represent equivalent 
executions. So we introduce a conflict between e and e'. The set K-s.o,e of events conflicting 
with e := (t,H) thus contains any event e' in £ with e' ^ [e] and e ^ [e'] and t <$> h{e'). 

Following common practice [4], the definition of Um,o proceeds in two steps. We first 
define (Def. 3) the collection of all prefixes of the unfolding. Then we show that there exists 
only one ^-maximal element in the collection, and define it to be the unfolding (Def. 4). 

► Definition 3 (Finite unfolding prefixes). The set of finite unfolding prefixes of M under the 
independence relation O is the smallest set of LESs that satisfies the following conditions: 

1. The LES having exactly one event 1, empty causality and conflict relations, and /i(l) := e 
is an unfolding prefix. 

2. Let £ be an unfolding prefix containing a history E[ € for some transition t € T. 

Then, the LES {E,<,ff,h) resulting from extending £ with a new event e := {t,H) and 
satisfying the following constraints is also an unfolding prefix of M: 

^ for all e' € El, we have e' < e; 

.. for all e' e ICs,o,e, we have e ff e'; and h{e) := t. 

Intuitively, each unfolding prefix contains the dependence graph (configuration) of one 
or more executions of M (of finite length). The unfolding starts from 1, the “root” of the 
tree, and then iteratively adds events enabled by some configuration until saturation, i.e., 
when no more events can be added. Observe that the number of unfolding prefixes as per 
Def. 3 will be finite iff all runs of M terminate. Due to lack of space, we give the definition 
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x=l y=x z=x 

(a) 


1 



(b) 


0 | 0|0 
^ 1 \ 


1|0|0 0|1|4 

^2 ^4 



1 , 2 | 0|0 
/ 3 


1,2,3|0|0 4,5|1|0 4|1,5|7 7|1,4|9 

{4,7} /6 /7 /9 


4,5,6|1|0 4,7|1,5|0 7.9|1,4|0 

{1,7} /8 /lO 


4,7,8 11,5 I 0 7,9,10 11.4 I 0 

(^) {1,5,9} {1,4,5} 


H Figure 1 Running example, (a) A concurrent program; (b) its unfolding semantics, (c) The 
exploration performed by Alg. 1, where each node C|D|A represents one call to the function 
Explore (C, D, A). The set X underneath each leaf node is such that the value of variable U 
in Alg. 1 at the leaf iaU = CuDuX. At 0 1 0 1 0 , the alternative taken is {4}, and at 41 1 1 0 it is {7}. 


of infinite unfolding prefix in App. A, as the main ideas of this section are well conveyed 
using only finite prefixes. In the sequel, by unfolding prefix we mean a finite or infinite one. 

Our first task is checking that each unfolding prefix is indeed a LES (Lemma 14). Next 
one shows that the configurations of every unfolding prefix correspond the Mazurkiewicz 
traces of the system, i.e., for any configuration C, inter(C) = To.o- for some a € runs{M) 
(Lemma 16). This implies that the definition of inter{C) and stateiC) is well-given when 
C belongs to an unfolding prefix. The second task is defining the unfolding Wm.o of M. 
Here, we prove that the set of unfolding prefixes equipped with relation < forms a complete 
join-semilattice (Lemma 17). This implies the existence of a unique ^-maximal element: 

► Definition 4 (Unfolding). The unfolding Um,o of M under the independence relation O is 
the unique ^-maximal element in the set of unfolding prefixes of M under O. 

Finally we verify that the definition is well given and that the unfolding is complete, i.e., 
every run of the system is represented by a unique configuration of the unfolding. 

► Theorem 5. The unfolding Um,o exists and is unique. Furthermore, for any non-empty 
run a of M, there exists a unique configuration C ofUM,o such that a 6 inter{C). 

► Example 6 (Programs). Figure 1 (a) shows a concurrent program, where process w writes 
global variable and processes r and r' read it. We can associate various semantics to it. 
Under an empty independence relation, the unfolding would be the computation tree, where 
executions would be totally ordered. Considering (the unique transition of) r and r' inde¬ 
pendent, and w dependent on them, we get the unfolding shown in Fig. 1 (b). 

Events are numbered from 1 to 10, and labelled with a transition. Arrows represent 
causality between events and dotted lines immediate conflict. The Mazurkiewicz trace of 
each deadlocking execution is represented by a unique £-maximal configuration, e.g., the 
run w.r.r' yields configuration {1,2,3}, where the two possible interleavings reach the same 
state. The canonic name of, e.g., event 1 is {w, {l}). For event 2 it is (r, (i, 1}). Let V be the 
unfolding prefix that contains events {i, 1,2). Definition 3 can extend it with three possible 
events: 3, 4, and 7. Consider transition r'. Three configurations of V enable r': {i},{i, 1} 
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M Figure 2 (a) A Petri net; (b) its classic unfolding; (c) our parametric semantics. 


and { 1 , 1 , 2 }. But since -'{h{2) <S> r'), only the first two will be in 'Hv,o,r', resulting in 
events 3 := (r',{l,l}) and 7 := (r',{l}). Also, is {1}, as w <8> r'. The 4 maximal 

configurations are {1,2,3}, {4,5,6}, {4,7,8} and {7,9,10}, resp. reaching the states {x,y,z) 
= (1,1,1), (1,0,1), (1,0,0) and (1,1,0), assuming that variables start at 0. 

► Example 7 (Comparison to Petri Net Unfoldings). In contrast to our parametric seman¬ 
tics, classical unfoldings of Petri nets [5] use a fixed independence relation, specifically the 
complement of the following one (valid only for safe nets): given two transitions t and t', 

t •^n t’iS (f n’t't 0 ) or {t"n’tt0) or {’t’n’t + 0), 

where ‘t and t‘ are respectively the preset and postset of t. Classic Petri net unfoldings (of 
safe nets) are therefore a specific instantiation of our semantics. A well known limitation of 
classic unfoldings are transitions that “read” places, e.g., ti and ^2 in Fig- 2 (a). Since ti <S>n 
< 2 , the classic unfolding, Fig. 2 (b), sequentializes all their occurrences. A solution to this 
is the so-called place replication (PR) unfolding [15], or alternatively contextual unfoldings 
(which anyway internally are of asymptotically the same size as the PR-unfolding). 

This problem vanishes with our parametric unfolding. It suffices to use a dependency 
relation <S>(j c <S>„ that makes transitions that “read” common places independent. The 
result is that our unfolding, Fig. 2 (c), can be of the same size as the PR-unfolding, i.e., 
exponentially more compact than the classic unfolding. For instance, when Fig. 2 (a) is 
generalized to n reading transitions, the classic unfolding would have 0{n\) copies of fa, 
while ours would have 0(2"). The point here is that our semantics naturally accommodate 
a more suitable notion of independence without resorting to specific ad-hoc tricks. 

Furthermore, although this work is restricted to unconditional independence, we conjec¬ 
ture that an adequately restricted conditional dependence would suffice, e.g., the one of [12]. 
Gains achieved in such setting would be difficult with classic unfoldings. 

[~^ Stateless Unfolding Exploration Algorithm 

We present a DPOR algorithm to explore an arbitrary event structure (e.g., the one of § 3) 
instead of sequential executions. Our algorithm explores one configuration at a time and 
organizes the exploration into a binary tree. Figure 1 (c) shows an example. The algorithm 
is optimal [2], in the sense that no configuration is ever visited twice in the tree. 

For the rest of the paper, let 7 /<>_m == {E, <, #, h) be the unfolding of M under O, which 
we abbreviate as U. For this section we assume that U is finite, i.e., that all computations 
of M terminate. This is only to ease presentation, we relax this assumption in § 5.2. 
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Algorithm 1: An unfolding-based FOR exploration algorithm. 

1 Initially, set U := {l}, set G := 0, and call Expl 

ore({l}, 0, 0). 

2 

Procedure Explore (G, D, A) 

13 

Procedure Extend(G) 

3 

Extend(G) 

14 

Add ex(C) to U 

4 

if en(G) = 0 return 



5 

if A = 0 

15 

Procedure Remove (e, G, Zl) 

6 

1 Choose e from en(G) 

16 

Move {e} \ Qc,d,u from U to G 

7 

else 

17 

foreach e e ^)^(e) 

8 

1 Choose e from A n en(G) 

18 

Move [e] \ Qc,d,u from U to G 

9 

ExploreCG u {e}, D,A\ {e}) 



10 

if 3J€ Alt(G,L>u{e}) 



11 

1 ExploreCG,iP u {e}, J \ G) 



12 

Remove ie,C,D) 




We give some new definitions. Let C be a configuration of lA. The extensions of C, 
written ex{C), are all those events outside C whose causes are included in C. Formally, 
ex{C) ■■= {e 6 FI: e ^ C A [e] £ C}. We let en{C) denote the set of events enabled by C, 
i.e., those corresponding to the transitions enabled at state{C), formally defined as en{C) := 
{e € ex{C): C u {e} € conf{U)}. All those events in ex{C) which are not in en{C) are the con¬ 
flicting extensions^ cex{C) := {e 6 ex^C)'- 3e' € C, e e'j. Clearly, sets en{C) and cex(C) 
partition the set e 2 :(C'). Lastly, we define #*(e) := {e' € if:e e'j, and #*(/(e) := #®(e)nt/. 
The difference between both is that #*(e) contains events from anywhere in the unfolding 
structure, while #y(e) can only see events in U. 

The algorithm is given in Alg. 1. ExploreCC,D, A), the main procedure, is given the 
configuration that is to be explored as the parameter C. The parameter D (for disabled) 
is the set of set of events that have already been explored and prevents that Explore () 
repeats work. It can be seen as a sleep set [7]. Set A (for add) is occasionally used to guide 
the direction of the exploration. 

Additionally, a global set U stores all events presently known to the algorithm. Whenever 
some event can safely be discarded from memory. Remove will move it from U to G (for 
garbage). Once in G, it can be discarded at any time, or be preserved in G in order to save 
work when it is re-inserted in U. Set G is thus our cache memory of events. 

The key intuition in Alg. 1 is as follows. A call to ExploreCG, H, A) visits all maximal 
configurations of U which contain G and do not contain D; and the first one explored will 
contain Gu A. Figure 1 (c) gives one execution, tree nodes are of the form c|d|a. 

The algorithm first updates U with all extensions of G (procedure Extend). If G is a 
maximal configuration, then there is nothing to do, it backtracks. If not, it chooses an event 
in U enabled at G, using the function en(G) := en{G) nU. If A is empty, any enabled event 
can be taken. If not, A needs to be explored and e must come from the intersection. Next 
it makes a recursive call (left subtree), where it explores all configurations containing all 
events in G u {e} and no event from D. Since Explore (G, i3, A) had to visit all maximal 
configurations containing G, it remains to visit those containing G but not e, but only if 
there exists at least one! Thus, we determine whether U has a maximal configuration that 
contains G, does not contain D and does not contain e. Function Alt will return a set of 
events that witness the existence of such configuration (iff one exists). If one exists, we make 
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a second recursive call (right subtree). Formally, we call such witness an alternative: 

► Definition 8 (Alternatives). Given a set of events U £ E, a, configuration C Qll, and a set 
of events D Q U, an alternative to D after C is any configuration J qU satisfying that 

— C u J is a configuration (5) 

H for all events ee D, there is some e' 6 (7 u J such that e' 6 :^'^^[e). (6) 

Function Alt {X, Y) returns all alternatives (in U) to Y after X. Notice that it is called as 
Alt (C, Zlu{e}) from Alg. 1. Any returned alternative J witnesses the existence of a maximal 
configuration C" (constructed by arbitrarily extending C u J) where C n [D u {e}) = 0. 

Although Alt reasons about maximal configurations of U, thus potentially about events 
which have not yet been seen, it can only look at events in U. So the set U needs to be 
large enough to contain enough conflicting events to satisfy (6). Perhaps surprisingly, it 
suffices to store only events seen (during the past exploration) in immediate conflict with C 
and D. Consequently, when the algorithm calls Remove, to clean from U events that are no 
longer necessary (i.e., necessary to find alternatives in the future), it needs to preserve at 
least those conflicting events. Specifically, Remove will preserve in U the following events: 

Qc,d,u ■= C u D u [J [e']. 

e6Cur>,e'6#y(e) 

That is, events in C\ in D and events in conflict with those. An alternative definition that 
makes Qc,d,u smaller would mean that Remove discards more events, which could prevent 
a future call to Alt from discovering a maximal configuration that needs to be explored. 

We focus now on the correctness of Alg. 1. Every call to ExploreCC, H, A) explores a 
tree, where the recursive calls at lines line 9 and line 11 respectively explore the left and 
right subtrees (proof in Corollary 25). Tree nodes are tuples {C,D,A) corresponding to the 
arguments of calls to Explore, cf. Fig. 1. We refer to this object as the call tree. For every 
node, both C and Cu A are configurations, and D £ ex{C) (Lemma 18). As the algorithm 
goes down in the tree it monotonically increases the size of either C or D. Since U is finite, 
this implies that the algorithm terminates: 

► Theorem 9 (Termination). Regardless of its input, Alg. 1 always stops. 

Next we check that Alg. 1 never visits twice the same configuration, which is why it 
is called an optimal POR [2]. We show that for every node in the call tree, the set of 
configurations in the left and right subtrees are disjoint (Lemma 24). This implies that: 

► Theorem 10 (Optimality). Let C be a maximal configuration ofU. Then Explore(•,•, •) 
is called at most once with its first parameter being equal to C. 

Parameter A of Explore plays a central role in making Alg. 1 optimal. It is necessary to 
ensure that, once the algorithm decides to explore some alternative J, such an alternative 
is visited first. Not doing so makes it possible to extend C in such a way that no maximal 
configuration can ever avoid including events in D. Such a configuration, referred as a 
sleep-set blocked execution in [2], has already been explored before. 

Finally, we ensure that Alg. 1 visits every maximal configuration of U. This essentially 
reduces to showing that it makes the second recursive call, line 11, whenever there exists 
some unexplored maximal configuration not containing L)u{e}. The difficulty of proving so 
(Lemma 27) comes from the fact that Alg. 1 only sees events in U. Due to space constraints, 
we omit an additional result on the memory consumption, cf. App. B.5. 

► Theorem 11 (Completeness). Let C be a maximal configuration oflA. Then Explore (•,•, •) 
is called at least once with its first parameter being equal to C. 
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Improvements 

5.1 State Caching 

Stateless model checking algorithms explore only one configuration oi U a.t a. time, thus 
potentially under-using remaining available memory. A desirable property for an algorithm 
is the capacity to exploit all available memory without imposing the liability of actually 
requiring it. The algorithm in § 4 satisfies this property. The set G, storing events discarded 
from U, can be cleaned at discretion, e.g., when the memory is approaching full utilisation. 
Events cached in G are exploited in two different ways. 

First, whenever an event in G shall be included again in U, we do not need to reconstruct 
it in memory (causality, conflicts, etc.). In extreme cases, this might happen frequently. 
Second, using the result of the next section, cached events help prune the number of maximal 
configurations to visit. This means that our FOR potentially visits fewer final states than 
the number of configurations of U, thus conforming to the requirements of a super-optimal 
DPOR. The larger G is, the fewer configurations will be explored. 

5.2 Non-Acyclic State Spaces 

In this section we remove the assumption that Um,o is finite. We employ the notion of cutoff 
events [14]. While cutoffs are a standard tool for unfolding pruning, their application to our 
framework brings unexpected problems. 

The core question here is preventing Alg. 1 from getting stuck in the exploration of 
an infinite configuration. We need to create the illusion that maximal configurations are 
finite. We achieve this by substituting procedure Extend in Alg. 1 with another procedure 
Extend’ that operates as Extend except that it only adds to U an event from e e ex{G) 
if the predicate cutofF(e, U, G) evaluates to false. We define cutofF(e, t/, G) to hold iff there 
exists some event e' € {7 u G such that 

state{[e]) = state{[e']) and |[e']| < |[e]|. (7) 

We refer to e' as the corresponding event of e, when it exists. This definition declares e cutoff 
as function of U and G. This has important consequences. An event e could be declared 
cutoff while exploring one maximal configuration and non-cutoff while exploring the next, 
as the corresponding event might have disappeared from U uG. This is in stark contrast to 
the classic unfolding construction, where events are declared cutoffs once and for all. The 
main implication is that the standard argument [14,5,3] invented by McMillan for proving 
completeness fails. We resort to a completely different argument for proving completeness 
of our algorithm (see App. C.l), which we are forced to skip in view of the lack of space. 

We focus now on the correction of Alg. 1 using Extend’ instead of Extend. A causal 
cutoff is any event e for which there is some e' e [e] satisfying (7). It is well known that 
causal cutoffs define a finite prefix of U as per the classic saturation definition [3]. Also, 
cutofF(e, t/, G) always holds for causal cutoffs, regardless of the contents of U and G. This 
means that the modified algorithm can only explore configurations from a finite prefix. It 
thus necessarily terminates. As for optimality, it is unaffected by the use of cutoffs, existing 
proofs for Alg. 1 still work. Finally, for completeness we prove the following result, stating 
that local reachability (e.g., fireability of transitions of M) is preserved: 

► Theorem 12 (Completeness). For any reachable state s 6 reach{M), Alg. 1 updated with 
the cutoff mechanism described above explores one configuration G such that for some G' Q G 
it holds that state{C') = s. 
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M Table 1 Programs with acyclic state space. Columns are: |P|: nr. of threads; |/|: nr. of explored 
traces; |B|: nr. of sleep-set blocked executions; t{s): running time; \E\: nr. of events in U; |i?cut|: nr. 
of cutoff events; |n|: nr. of maximal configurations; (|17n|): avg. nr. of events in U when exploring 
a maximal configuration. A * marks programs containing bugs. <7K reads as “fewer than 7000'’. 


Benchmark Nidhugg Poet (without cutoffs) Poet (with cutoffs) 


Name 


1^1 

\B\ 

t(s) 

\E\ 

|fl| 

{\Un\) 

t(s) 

\E\ 

|L!| 

{\Un\) 

t(s) 

Stf 

3 

6 

0 

0.06 

121 

6 

79 

0.04 

121 

0 

6 

79 

0.06 

Stf* 

3 

- 

- 

0.05 

- 

- 

- 

0.02 

- 

- 

- 

- 

0.03 

SpinOS 

3 

84 

0 

0.08 

2974 

84 

1506 

2.04 

2974 

0 

84 

1506 

2.93 

Fib 

3 

8953 

0 

3.36 

<185K 

8953 

92878 

305 

<185K 

0 

8953 

92878 

704 

Fib* 

3 

- 

- 

0.74 

- 

- 

- 

81.0 

- 

- 

- 

- 

133 

Ccnf(9) 

9 

16 

0 

0.05 

49 

16 

46 

0.07 

49 

0 

16 

46 

0.06 

Ccnf{17) 

17 

256 

0 

0.15 

97 

256 

94 

5.76 

97 

0 

256 

94 

6.09 

Ccnf(19) 

19 

512 

0 

0.28 

109 

512 

106 

22.5 

109 

0 

512 

106 

22.0 

SSB 

5 

4 

2 

0.05 

48 

4 

38 

0.03 

46 

1 

4 

37 

0.03 

SSB(l) 

5 

22 

14 

0.06 

245 

23 

143 

0.11 

237 

4 

23 

140 

0.11 

SSB(3) 

5 

169 

67 

0.12 

2798 

172 

1410 

3.51 

1179 

48 

90 

618 

0.90 

SSB(4) 

5 

336 

103 

0.15 

<7K 

340 

3333 

20.3 

2179 

74 

142 

1139 

2.07 

SSB(8) 

5 

2014 

327 

0.85 

<67K 

2022 

32782 

4118 

<12K 

240 

470 

6267 

32.1 


Lastly, we note that this cutoff approach imposes no liability on what events shall be 
kept in the prefix, set G can be cleaned at discretion. Also, redefining (7) to use adequate 
orders [5] is straightforward, cf. App. C.l (in our proofs we actually assume adequate orders). 
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Experiments 


As a proof of concept, we implemented our algorithm in a new explicit-state model checker 
baptized Poet (Partial Order Exploration Tool).^ Written in Haskell, a lazy functional 
language, it analyzes programs from a restricted fragment of the C language and supports 
POSIX threads. The analyzer accepts deterministic programs, implements a variant of Alg. 1 
where the computation of the alternatives is memoized, and supports cutoffs events with 
the criteria defined in § 5. 

We ran Poet on a number of multi-threaded C programs. Most of them are adapted from 
benchmarks of the Software Verification Competition [17]; others are used in related works [8, 
19,2]. We investigate the characteristics of average program unfoldings (depth, width, etc.) 
as well as the frequency and impact of cutoffs on the exploration. We also compare Poet 
with Nidhugg [1], a state-of-the-art stateless model checking for multi-threaded C programs 
that implements Source-DPOR [2], an efficient but non-optimal DPOR. All experiments 
were run on an Intel Xeon CPU with 2.4 GHz and 4 GB memory. Tables 1 and 2 give our 
experimental data for programs with acyclic and non-acyclic state spaces, respectively. 

For programs with acyclic state spaces (Table 1), Poet with and without cutoffs seems to 
perform the same exploration when the unfolding has no cutoffs, as expected. Furthermore, 
the number of explored executions also coincides with Nidhugg when the latter reports 0 
sleep-set blocked executions (cf., § 4), providing experimental evidence of Poet’s optimality. 

The unfoldings of most programs in Table 1 do not contain cutoffs. All these programs 
are deterministic, and many of them highly sequential (Stf, SpinOS, Fib), features known 
to make cutoffs unlikely. CCNF(n) are concurrent programs composed of n - 1 threads 
where thread i and i + 1 race on writing one variable, and are independent of all remaining 
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Source code and benchmarks available from: http: //www. cs . ox. ac .uk/people/marcelo. sousa/poet/. 












12 


Unfolding-based Partial Order Reduction 


M Table 2 Programs with non-terminating executions. Column b is the loop bound. The value is 
chosen based on experiments described in [1]. 


Benchmark 


Nidhugg 



Poet (with cutoffs) 


Name 

|R| 

b 

1^1 

\B\ 

t{s) 

\E\ 

jAcuti 

|U| 

(|Gn|) 

t(s) 

Szymanski 

3 

- 

103 

0 

0.07 

1121 

313 

159 

591 

0.36 

Dekker 

3 

10 

199 

0 

0.11 

217 

14 

21 

116 

0.07 

Lamport 

3 

10 

32 

0 

0.06 

375 

28 

30 

208 

0.12 

Peterson 

3 

10 

266 

0 

0.11 

175 

15 

20 

100 

0.05 

Pgsql 

3 

10 

20 

0 

0.06 

51 

8 

4 

40 

0.03 

Rwlock 

5 

10 

2174 

14 

0.83 

<7317 

531 

770 

3727 

12.29 

Rwlock(2)* 

5 

2 

- 

- 

7.88 

- 

- 

- 

- 

0.40 

Prodcons 

4 

5 

756756 

0 

332.62 

3111 

568 

386 

1622 

5.00 

Prodcons(2) 

4 

5 

63504 

0 

38.49 

640 

25 

15 

374 

1.61 


threads. Their unfoldings resemble Fig. 2 (d), with traces but only 0{n) events. 

Saturation-based unfolding methods would win here over both Nidhugg and Poet. 

In the SSB benchmarks, Nidhugg encounters sleep-set blocked executions, thus perform¬ 
ing sub-optimal exploration. By contrast. Poet finds many cutoff events and achieves a 
super-optimal exploration, exploring fewer traces than both Poet without cutoffs and Nid¬ 
hugg. The data shows that this super-optimality results in substantial savings in runtime. 

For non-acyclic state spaces (Table 2), unfoldings are infinite. We thus compare Poet 
with cutoffs and Nidhugg with a loop bound. Hence, while Nidhugg performs bounded 
model checking. Poet does complete verification. The benchmarks include classical mutual 
exclusion protocols (Szymanski, Sekker, Lamport and Peterson), where Nidhugg is 
able to leverage an important static optimization that replaces each spin loop by a load 
and assume statement [1]. Hence, the number of traces and maximal configurations is not 
comparable. Yet Poet, which could also profit from this static optimization, achieves a 
significantly better reduction thanks to cutoffs alone. Cutoffs dynamically prune redundant 
unfolding branches and arguably constitute a more robust approach than the load and 
assume syntactic substitution. The substantial reduction in number of explored traces, 
several orders of magnitude in some cases, translates in clear runtime improvements. Finally, 
in our experiments, both tools were able to successfully discover assertion violations in STF*, 
FiBx- and rwlock(2)x'. 

In our experiments. Poet’s average maximal memory consumption (measured in events) 
is roughly half of the size of the unfolding. We also notice that most of these unfoldings are 
quite narrow and deep (jifcutKI^'l is low) when compared with standard benchmarks for Petri 
nets. This suggests that they could be amenable for saturation-based unfolding verification, 
possibly pointing the opportunity of applying these methods in software verification. 
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Related Work 


This work focuses on explicit-state POR, as opposed to symbolic POR techniques exploited 
inside SAT solvers, e.g., [11,8]. Early POR statically computed the necessary transitions to 
fire at every state [18,7]. Flanagan and Godefroid [6] first proposed to compute persistent 
sets dynamically (DPOR). However, even when combined with sleep sets [7], DPOR was 
still unable to explore exactly one interleaving per Mazurkiewicz trace. Abdulla et al. [2,1] 
recently proposed the first solution to this, using a data structure called wakeup trees. Their 
DPOR is thus optimal (ODPOR) in this sense. 

Unlike us, ODPOR operates on an interleaved execution model. Wakeup trees store 
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chains of dependencies that assist the algorithm in reversing races throughly. Technically, 
each branch roughly correspond to one of our alternatives. According to [2], constructing 
and managing wakeup trees is expensive. This seems to be related with the fact that 
wakeup trees store canonical linearizations of configurations, and need to canonize executions 
before inserting them into the tree to avoid duplicates. Such checks become simple linear¬ 
time verifications when seen as partial-orders. Our alternatives are computed dynamically 
and exploit these partial orders, although we do not have enough experimental data to 
compare with wakeup trees. Finally, our algorithm is able to visit up to exponentially fewer 
Mazurkiewicz traces (owing to cutoff events), copes with non-terminating executions, and 
profits from state-caching. The work in [2] has none of these features. 

Combining DPOR with stateful search is challenging [20]. Given a state s, DPOR relies 
on a complete exploration from s to determine the necessary transitions to fire from s, but 
such exploration could be pruned if a state is revisited, leading to unsoundness. Combining 
both methods requires addressing this difficulty, and two works did it [20,19], but for non- 
optimal DPOR. By contrast, incorporating cutoff events into Alg. 1 was straightforward. 

Classic, saturation-based unfolding algorithms are also related [14,5,3,10]. They are 
inherently stateful, cannot discard events from memory, but explore events instead of con¬ 
figurations, thus may do exponentially less work. They can furthermore guarantee that 
the number of explored events will be at most the number of reachable states, which at 
present seems a difficult goal for PORs. On the other hand, finding the events to extend 
the unfolding is computationally harder. In [10], Kahkonen and Heljanko use unfoldings for 
concolic testing of concurrent programs. Unlike ours, their unfolding is not a semantics of 
the program, but rather a means for discovering all concurrent program paths. 

While one goal of this paper is establishing an (optimal) POR exploiting the same com¬ 
mutativity as some non-sequential semantics, a longer-term goal is building formal connec¬ 
tions between the latter and PORs. Hansen and Wang [9] presented a characterization of (a 
class of) stubborn sets [18] in terms of configuration structures, another non-sequential se¬ 
mantics more general than event structures. We shall clarify that while we restrict ourselves 
to commutativity-based PORs, they attempt a characterization of stubborn sets, which do 
not necessarily rely on commutativity. 
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Conclusions 


In the context of commutativity-exploiting POR, we introduced an optimal DPOR that 
leverages on cutoff events to prune the number of explored Mazurkiewicz traces, copes 
with non-terminating executions, and uses state caching to speed up revisiting events. The 
algorithm provides a new view to DPORs as algorithms exploring an object with richer 
structure. In future work, we plan exploit this richer structure to further reduce the number 
of explored traces for both PORs and saturation-based unfoldings. 
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I A I Proofs: Unfolding Semantics 

In § 3 we defined the set of finite unfolding prefixes of M under the independence relation O- 
If M has only terminating executions, i.e., all elements in runs{M) are finite, then all 
unfolding prefixes are finite. However, if it has non-terminating executions, then we need to 
also consider its infinite unfolding prefixes. We will achieve this in Def. 13. First we need a 
technical definition and some results about it. Let 


-f" •- ^l); (^2, <27#2, ^ 2)1 ■ • 

be a finite or infinite set of unfolding prefixes of M under O. We define the union of all of 
them as the LES union{F) := {E,<,^,h), where 

E:=[jEi <:=U<i h:=[Jhi, 

l<i 1<2 l<i 

and # is the £-minimal relation on E x E that satisfies (2) and such that e # e' holds for 
any two events e,e' e E if 

e i [e'] and e' i [e] and h{e) <S> h{e). ( 8 ) 

Since every element of F is a LES, clearly union{F) is also a LES, (1) and (2) are trivially 
satisfied. Notice that all events in Fi, F 2 , F 3 ,... are pairs of the form (t, H), and the union 
of two or more F^’s will merge many equal events. Indeed, two events ei := (ti,iLi) and 
62 := (t 2 , H 2 ) are equal iff ti = <2 and iLi = FL 2 . 

► Definition 13 (Unfolding prefixes, finite or infinite). The set of unfolding prefixes of M 
under the independence relation O contains all finite unfolding prefixes, as defined by Def. 3, 
together with those constructed by: 

H For any infinite set X of unfolding prefixes, union{X) is also an unfolding prefix. 

Our first task is verifying that each unfolding prefix is indeed a LES. Conditions (1) 
and (2) are satisfied by construction. We verify the following: 

► Lemma 14. For any unfolding prefix V ■= {E,<,ff,h) we have the following: 

1 . The relation < is a strict partial order. 

2 . The relation ff is irrefiexive. 

Proof. Assume that V is finite. This means that it has been constructed with Def. 3. We 
prove both statements by induction. 

Base case. The prefix containing only 1 trivially satisfies both statements. 

Step case. We prove both statements separately. Clearly e < e does not hold, as every 
event introduced by Def. 3 is a causal successor of only events that were already present 
in the unfolding prefix. Furthermore, the insertion of an event does not change the causal 
relations existing in the preceding unfolding prefix. The relation < is also transitive, as the 
history of a configuration is causally closed. 

As for the second statement, we prove it by contradiction. Assume that e e and that 
6 has been inserted into V by applying Def. 3 to the prefix V'. Clearly, e i F-p/^e, so the 
conflict has not been inserted when extending V with e. It must be the case, then, that 
Def. 3 has inserted another event e' in F after inserting e, and that e' € [e] and e' e. This 
is also not possible since, by definition, when inserting e' on a prefix V” no causal successor 
of e' can be present in e'. 
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Assume now that V is not finite. Then it is the union of an infinite family of finite 
unfolding prefixes, each one of them satisfy the above. We prove again both statements 
separately. 

First statement. For any event e := (t,H) e E, necessarily e < e cannot hold, as e comes 
from some of the finite prefixes. Now, if e belongs to several finite prefixes, by construction 
they agree on which events are causal predecessors of e. If the union contains a cycle 


ei < 62 < ... < e„ < ei, 

then all n events are present in any finite prefix to which e„ belongs. As a result all of them 
are in [e„], which is clearly impossible. 

Second statement. It cannot be the case that e e in V but -.(e # e) in any finite prefix 
that gives rise to V, by definition of union{-). So since -•{e # e) holds for any finite prefix, 
then -.(e # e) holds for V. •« 

We now need to prove some facts about union{-). 

► Lemma 15. If F is a finite set of unfolding prefixes constructed by Def. 3, then union(F) 
is also a finite prefix constructed by Def. 3. 

Proof. (Sketch). The proof proceeds by induction on the size n of F. If n = 1 then it is easy 
to see that the union is a finite prefix (observe that union{-) “discards” the original conflict 
relation and substitutes it for a new one). 

The inductive step reduces to showing that the union of two prefixes is a prefix, as 

union{F' u {V}) = union{union{F') u {V}). 

To show this, let Vi ■= (Ai,<i,#i,/ii) and V 2 ■= (^^ 2 ,< 2 ,# 2 ,^ 2 ) be two unfolding prefixes. 
To show that union{{Vi,V 2 ]) is an unfolding prefix we proceed again by induction in the 
size TO of i ?2 N ifi. If TO = 0 then 1^2 ^ Vi and we are done. If not one can select a <-maximal 
event e := {t,H) from E 2 \ Ei, remove it from V 2 , and the resulting prefix 'P '2 is such that 
7^3 := union{'Pi,'P' 2 ) is a finite prefix generated by Def. 3. Now Def. 3 can extend 'Pa with e, 
as H is by hypothesis a configuration of P 3 that enables t and so on. Finally, one shows 
that the causality, label, and conflict relation that Def. 3 and the definition of union{-) will 
attach to e coincide. ■* 

Next we show that every configuration of every unfolding prefix corresponds to some 
Mazurkiewicz trace of the system: 

► Lemma 16. Let 'P be an unfolding prefix of M under O. Given any configuration C of'P, 
it holds that inter{C) £ runs{M). Furthermore, for any two runs ai,a 2 e inter{C), we have 
state{ai) = state{u 2 ). 

Proof. Let V := {E, <, ff, h) be the prefix, with h:E ->■ T. Let C be a configuration of P. In 
this proof we will assume that P is finite. This is because, of the following two facts: 

H Assume that P = union{F), where F := {Pi,P 2 ,...} is an infinite collection of finite 
prefixes. Only finitely many prefixes in F contain events of C, as C is finite. 

H By Lemma 15, the union{-) of finitely many prefixes is a finite prefix generated by Def. 3. 
So if P is infinite, by the above, we can find a finite prefix P', generated by Def. 3, and 
which contains C. Since the arguments we make in the sequel only concern events in C, 
proving the lemma in V' is equivalent to proving it in P. 

So w.l.o.g. we assume that P is a finite unfolding. The proof is by structural induction 
on the set of unfolding prefixes ordered by the prefix relation <. 
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Base case. Assume that V has been produced by the first rule of Def. 3. Then E = {l} 
and the lemma trivially holds. 

Inductive step. Assume V that has been produced by the application of the second rule 
of Def. 3 to the unfolding prefix V', and let e be the only event in V but not in V'. Also, 
assume that the lemma holds for V'. 

Only two things are possible: e e C or e i C. In the second case, C is a configuration 
of V' and we are done, so assume that e e C. Necessarily e is a <-maximal event in C. Let 
a 6 inter{C) be an interleaving of C, and let C ■= {ei,..., e„}. W.l.o.g., assume that a is of 
the form 

cr= /i(ei),...,/i(e„) 

and that Ci = e. Clearly, the causes [e] of e are a subset of the events {ei,..., ei_i}. Since, 
by definition of inter(-), {ei,..., ei_i} is a configuration and it does not include e, it is 
necessarily a configuration of V'. Thus, by applying the induction hypothesis we know that 
the sequence 

/i(ei),...,/i(ej_i) 

is an execution of M and produces the same global state as another execution that first fires 
all events in [e] and then all remaining events in {ei,..., ei_i}. This means that cr is an 
execution of M iff the sequence 

cr' := a''.h{fi) ... h{fk).h{e).h{gi) ... h{gi) 

is an execution of M, where cr" € mter([e]), {/i ,..., fk) = {ei,... ,ei_i} \ [e], and gi = e^+i, 

■ ■ ■ 1 9l ~ ^n- 

Now we will show that the sequence cr"./i(/i)... h{fk).h{e), which is a prefix of cr', is an 
execution. From Def. 3 we know that cr" enables h{e), and from the induction hypothesis 
we also know that a” enables h{fi). Since -i/i # e and fi ^ \e], from Def. 3 we know that 
h{fi) O h{e), i.e., the transitions associated to both events commute (at all states). Since 
both h{fi) and h{e) are enabled at state{a"), then a”.h{fi).h{e) is a run. Again, the run 
ct"./i(/i) enables both h{e) and h{f 2 ), and for similar reasons h{e) O h{f 2 ), so we know 
that cr"./i(/i).ft,(/ 2 )./i(e) is a run. Iterating this argument k times one can prove that 

ct:= a''.h{fi) ...h{fk).h{e) 
is indeed an execution. 

The next step is proving that the execution d can be continued by firing the sequence 
of transitions h{gi),..., h(gi). The argument here is quite similar as before, but slightly 
different. It is easy to see that h{e) O h{gj) for j 6 {I,...,;}. Since d enables both h{e) 
and h{gi), and both commute at state{d), then necessarily d.h{e).h(gi) is an execution and 
reaches the same state as the execution d.h(gi).h{e). Iterating this argument I times one 
can show that, similarly, d.h{e).h{gi)... h{gi) is an execution and reaches the same state 
as the execution d.h{gi)... h{gi).h{e). This has shown that a is indeed an execution. 

The lemma also requires to prove that any two executions in inter{C) reach the same 
state. This is straightforward to show using the arguments we have introduced above. We 
have already shown that any linearization of all events in C is /i-labelled by an execution 
of M that reaches the same state as the execution that labels any other linearization of the 
same events that fires e last in the sequence. Using this fact and the induction hypothesis 
it is very simple to complete the proof. ■* 
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► Lemma 17. For any set F of unfolding prefixes, union{F) is the least-upper hound of F 
with respeet to the order <. 

Proof. Let F := Ui<i’Pi) where Vi := {Ei,<i,ffi,hi) for 1 < i. Let V ■= union{F) be their 
union, where V ■= {E, <, ff, h). We need to show that 
B (upper bound) Vi < V', 

H (least element) for any unfolding prefix V' such that Vj < V' holds for all 1 < j, we have 
that V<V'. 

We start showing that V is an upper bound. Let Vi € F he an arbitrary unfolding prefix. 
We show that Vi <V: 

B Trivially Ei Q E. 

™ <i £ < n (Ei X Ei). Trivial. 

™ <i 3 < n {Ei X Ei). Assume that e < e' and that both e and e' are in Ei. Then there is 
some 1 < j such that e <j e' , and both e and e' are in Ej. Assume that e := {t,H). Since 
Vj is a finite prefix constructed by Def. 3, then necessarily e' e FI. As a result, Def. 3 
must have found that e' was in H when adding e to the prefix that eventually became 
Vi, and consequently e' < e. 

■ #i £ # n (Ai X Ai). Trivial. 

™ #i 3 ffr\{EixEi). Assume that e # e' and that e,e' 6 Ei. We need to prove that e e'. 
Assume w.l.o.g. that e' was added to Vi by Def. 3 after e. If e and e' satisfy (8), then 
trivially e ffi e'. If not, then assume w.l.o.g. that there exists some e" < e' such that 
e ff e", and such that e and e" satisfy (8). Then e ffi e" and, since Vi is a LES then we 
have effi e'. 

B hi = hn (Ei X Ei). Trivial. 

We now focus on proving that V is the least element among the upper bounds of F. Let 
V' ■= {E', <', ff', h') be an upper bound of all elements of E. We show that V < V'. 

H Since E is the union of all Ei and all Ei are by hypothesis in E', then necessarily E c E'. 
B < £ <’ n {E X E). Assume that e < e'. By definition e and e' are in E, so we only need to 
show that e <' e'. We know that there is some 1 <i such that e <i e'. We also know that 
Vi <V', which implies that e <' e!. 

B <2 <’ n {Ex E). Assume that e < e' and that e, e' e E. We know that there is some 1 <i 
such that e,e' e Ei. We also know that Vi < V' , which implies that <i = <' n {Ei x Ei). 
This means that e <i e!, and so e < e'. 

H h = h' n{E X E). Trivial. 

H 2 ff' n {E X E). Assume that effe'. Then e and e' are in E. Two things are possible. 
Either e, e' satisfy (8) or, w.l.o.g., there exists some e" < e' such that e and e" satisfy (8). 
In the former case, using items above, it is trivial to show that ^{e <' e'), that ^{e' <' e), 
and that h'{e) <S> h'{e'). This means that e ff' e'. In the latter case its the same. 

« #3#'n(Ex£;). Trivial. 


► Theorem 5. The unfolding Um,o exists and is unique. Furthermore, for any non-empty 
run a of M, there exists a unique eonfiguration C ofUM.o such that a e inter{C). 

Proof. Let F be the set of all, finite or infinite, unfolding prefixes of Um,o- By Def. 13 we 
have that Um,o union{F) is an unfolding prefix. By Lemma 17 we know it is <-maximal 
and unique. 
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Observe that for a run that fires no transition, i.e. a = e e T*, we may find the empty 
configuration 0 or the configuration {l}, and in both cases a is an interleaving of the 
configuration. Hence the restriction to non-empty runs. 

Assume that a fires at least one transition. The proof is by induction on the length \a\ 
of the run. 

Base Case. If a fires one transition t, then t is enabled at s, the initial state of M. Then 
{ 1 } is a history for t, as necessarily state{{i.}) enables t. This means that e := {t, {l}) is an 
event of Um,o, and clearly tr € inter{{i., e}). It is easy to see that no other event e' different 
than e but such that h{e) = h{e') can exist in Um,o and satisfy that the history [e'] of e' 
equals the singleton {l}. The representative configuration for a is therefore unique. 

Inductive Step. Consider cr = a'.tk+i, with a' = ti.t2 ...tk. By the induction hypothesis, 
we assume that there exist a unique configuration C' such that a' e inter{C'). By Lemma 16, 
all runs in inter(C') reach the same state s and a' is such a run. Hence, t^+i is enabled at 
state s. If all <-maximal events e 6 max(C'') : h{e) interfere with t^+i, then C' is a valid 
configuration H and by construction (second condition of Def. 3) there is a configuration 
C = C u {e'} with e' = {tk+i,H). Otherwise, we construct a valid H by considering sub¬ 
configurations of C removing a maximal event e € max(C") '■ h(e) does not interfere with 
tk+i. We always reach a valid H since C is a finite set and { 1 } is always a valid H. 
Considering C = Hu {e'} with e' = {t,H), by construction (second condition of Def. 3) we 
have that Ve_f/ € H : -.(e' # en) and eC' \H : -.(e # e^) (otherwise these events would 
be in H). Hence, C u {e} is a configuration. ■* 


I B I Proofs: Exploration Algorithm 

For the rest of this section, as we did in the main sections of the paper, we fix a system M := 
{T,,T,s) and an unconditoinal independence relation O on M. We assume that reach{M) is 
finite. Let ■= {E,<,^,h) be the unfolding of M under O, which we abbreviate as U. 

For this section, unless otherwise state, we furthermore assume that that U is finite, i.e., 
that all computations of M terminate. 

Algorithm 1 is recursive, each call to Explore (C, D, A) yields either no recursive call, if 
the function returns at line 4, or one single recursive call (line 9), or two (line 9 and line 11). 
Furthermore, it is non-deterministic, as e is chosen from either the set en(C') or the set 
An en{C), which in general are not singletons. As a result, the configurations explored by 
it may differ from one execution to the next. 

For each system M we define the call graph explored by Alg. 1 as a directed graph {B, >) 
representing the actual exploration that the algorithm did on the state space. Different 
executions will in general yield different call graphs. 

The nodes B of the call graph are 4-tuples of the form {C,D,A,e), where C,D,A are 
the parameters of a recursive call made to the funtion Explore (•,•,•), and e is the event 
selected by the algorithm immediately before line 9. More formally, B contains exactly all 
tuples {C,D,A,e) satisfying that 
H C, D, and A are sets of events of the unfolding U; 

H during the execution of Explore (0,0,0), the function Explore (•,•, •) has been recur¬ 
sively called with C,D,A as, respectively, first, second, and third argument; 

B e e E is the event selected by Explore (C, D, A) immediately before line 9 if C is not 
maximal; if C is maximal, we define e := 1 . ^ 


4 


Observe that in this case, if C is maximal, the execution of Explore (C, D, A) never reaches line 9. 
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The edge relation of the call graph, t> £ B x B, represents the recursive calls made by 
Explore . Formally, it is the union of two disjoint relations [> := [>; a defined as 
follows. We define that 

(C, D, A, e) >/ (C", D',A', e') and that (C, £>, A, e) t>^ (C", D", A", e") 

iff the execution of Explore (C, H, issues a recursive call to, resp.. Explore (C', I?', A') 
at line 9 and Explore(C", H", A") at line 11. Observe that C' and C" will necessarily be 
different (as C = C u {e}, where e i C, and C” = C), and therefore the two relations are 
disjoint sets. We distinguish the node 

bo ■■= ({!}, 0 , 0 , 1 ) 

as the initial node, also called the root node. Observe that {B, >) is by definition a weakly 
connected digraph, as there is a path from the node bo to every other node in B. Later in 
this section we will additionally prove that the call graph is actually a binary tree, where 
is the left-child relation and >r. is the right child relation. 

B.l General Lemmas 

► Lemma 18. Let {C, D, A,e) e B he a state of the call graph. We have that 


H event e is such that e e en{C); (9) 

H C is a configuration; (10) 

H CvJ A is a configuration and C n A = 0; (11) 

. D^ex{C); (12) 

H ifA = 0, then D £ cex{C); (13) 

H for all e' e D there is some e" 6 C u A such that e' e" (14) 


Proof. To show (9) is immediate. Observe, in Alg. 1, that both branches of the “if” state¬ 
ment where e is picked select it from the set en{C). 

All remaining items, (10) to (14), will be shown by induction on the length n > 0 of any 
path 

bo >bi > ... > bn-i > bn 

on the call graph, starting from the initial node and leading to := {C, D, A, e) (we will 
later show. Lemma 24, that there is actually only one such path). For i 6 {0,...,n} we 
define {Ci,Di,Ai,ei):= bi. 

We start showing (10). Base case, n = 0 and C = {l}. The set {l} is a configuration. 
Step. Assume C„_i is a configuration. If 6 „_i >/ bn, then C = C„_i u {e} for some event 
e € en(C), as stated in (9). By definition, C is a configuration. If 5„_i 6„, then C = Cn-i- 

In any case C is a configuration. 

We show (11), also by induction on n. Base case, n = 0. Then C = {l} and A = 0 . 
Clearly C u A is a configuration and C u A = 0 . Step. Assume that Cn-i u A„_i is a 
configuration and that Cn-i n A„_i = 0 . We have two cases. 

H Assume that 6 „_i bn. If A„_i is empty, then A is empty as well. Clearly C u A is 
a configuration and C n A is empty. If A„_i is not empty, then C = Cn-i u {e} and 
A = A„_i \ {e}, for some e 6 A„_i, and we have 

C U A — (Cn-l ^ ^ (Ayi-i \ {c j) — Cn-l U An-1 j 

SO C u A is a configuration as well. We also have that C n A = Cn-i n A„_i (recall that 
e i C), so C n A is empty. 
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H Assume that bn-i [>r bn holds. Then we have C = Cn-i and also A = J \ Cn-i lor some 
J 6 Alt (Cn-i,D u {e}). From (5) we know that Cn-i u J is a configuration. As a result, 

C U A = Cn-l u (J \ Cn-l) = Cn-l U J, 

and therefore C u A is a configuration. Finally, by construction of A, we clearly have 
Cn A = 0 . 

We show (12), again, by induction on n. Base case, n = 0 and D = 0. Then (12) clearly 
holds. Step. Assume that (12) holds for {Ci,Di,Ai,ei), with i € {0,...,n-l}. We show 
that it holds for bn. As before, we have two cases. 

B Assume that bn-i >i bn. We have that D = Dn-i and that C = Cn-i u We need 

to show that for all e' € H we have \e']Q C and e' i C. By induction hypothesis we know 
that D = Dn-i £ ex{Cn-i), so clearly fe'] £ Cn-i £ C. We also have that e' ^ Cn-i, so we 
only need to check that e' + e„_i. By contradiction, if e' = e„_i, by (14) we would have 
that some event in C is conflict with some other event in C u A, which is a contradiction 
to ( 11 ). 

H Assume that bn-i >r bn. We have that D = Dn-i u and by hypothesis we know 

that Dn-i £ ea;(C'„_i) = ex{C). As for e„_i, by (9) we know that e„_i € en{Cn-i) = 
en{C) £ ex{C). As a result, D £ ex{C). 

We show (13). By (12) we know that D £ ex{C). Assume A = 0 . For each e' e D we 
need to prove the existence of some e" € C with e' e". This is exactly what (14) states. 

We show (14), again, by induction on n. Base case, n = 0 and D = 0. The result holds. 
Step. Assume (14) holds for A„_i,e„_i). We show that it holds for bn. We 

distinguish two cases. 

H bn-i >/ bn. Then D = Dn-i. As a result, for any e' e D there is some e" 6 Cn-i u A„_i 
satisfying e' e". But we have that Cn-i u A„_i £ C u A, so such e' is also contained 
in C u A, which shows the result. 

H bn-i >r bn. Observe that D = u Let J 6 Alt (C„_i, I? u {e}) be the 

alternative used to construct A = J \ Cn-i. By definition (6) we know that for all 
e' e D \ cex{Cn-i) we can find some e" e J with e' e". We only need to show that 
J £ A u C. Observe that this will complete the proof, since for each e' e D n cex{Cn-i) 
we already know that there is some e" € Cn-i £ Cu A with e' e". Now, that J £ Cu A 
is obvious: C u A = Cn-i u J \ C„_i = Cn-i u J. 

<4 

The following lemma essentially guarantees that whenever Alg. 1 reaches line 8 , the set 
from which e is chosen is not empty. 

► Lemma 19. IfC £ C are two finite configurations, then en{C)r\(C'\C) = 0 iff C\C = 0. 

Proof. If there is some e 6 en{C) n (C' \ C), then e i C and e € C', so C \ C is not empty. 

If there is some e' e C \ C, then there is some e" event that is <-minimal in C' \ C. As a 

result, [e"] £ C. Since e" ^ C and C u {e"} is a configuration (as C u {e"} £ C'), we have 

that e" € en{C). Then en{C) n {C' \ C) is not empty. •* 

► Lemma 20. For any node {C, D, A,e) e N of the call graph we have that A A 0 implies 
en{C) n A + 0 . 

Proof. The result is a consequence of Lemma 19 and (11). Since CuA is configuration that 
includes C, and (C u A) \ C = A is not empty, then en{C) n A is not empty. ■* 
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► Lemma 21. Let b ■= {C, D, A,e) and b' := {C\D\A',e') be two nodes of the eall graph 


sueh that b \>b'. Then 

. CqC andDQD'; (15) 

H if b \>ib', then C ^ C; (16) 

H if b l>r b', then D ^ D'. (17) 

Proof. If b \>i b', then C" = C u {e} and D' = D. Then all the three statements hold. If 

b b', then C' = C and D' = Du {e}. Similarly, all the three statements hold. ■* 


B.2 Termination 

► Lemma 22. Any path bo \> bi >62 > • ■ ■ in the eall graph starting from bg is finite. 

Proof. By contradiction. Assume that bo >61 > ... is an infinite path in the call graph. 
For 0 < i, let {Ci, Di,Ai,ei) := bi. Recall that U has finitely many events, finitely many finite 
configurations, and no infinite configuration. Now, observe that the number of times that Ci 
and Ci+i are related by t>/ rather than [>,. is finite, since every time Explore (•,•, •) makes 
a recursive call at line 9 it adds one event to Ci, as stated by (16). More formally, the set 

L:= {ieNtC* >i C^+i} 

is finite. As a result it has a maximum, and its successor k := 1 + max< L is an index in the 
path such that for all i> k we have Ci Ci+i, i.e., the function only makes recursive calls 
at line 11. We then have that Ci = Ck, for i> k, and by (12), that Di £ ex{Ck). Recall that 
ex{Ck) is finite. Observe that, as a result of (16), the sequence 


Dk ^ Dk+i ^ Dk+2 


is an infinite increasing sequence. This is a contradiction, as for sufficiently large j > 0 we 
will have that D^+j will be larger than ex{Ck), yet D^+j £ ex(Ck). * 

► Corollary 23. The call graph is a finite directed acyclic graph. 

Proof. Recall that every node b e B is reachable from the initial node bg by definition of 
the graph. Also, by Lemma 22, all paths from &o are finite, and every node has between 0 
and 2 adjacent nodes. 

By contradiction, if the graph had infinitely may nodes, then Konig’s lemma would 
guarantee the existence of an infinite path starting from bo, a contradiction to Lemma 22. 
Then B is necessarily finite. 

As for the acyclicity, again by contradiction, assume that {B, >) has a cycle. Then every 
state of any such cycle would be reachable from &o> which guarantees the existence of at 
least one infinite path in the graph. Again, this is a contradiction to Lemma 22. < 

► Theorem 9 (Termination). Regardless of its input, Alg. 1 always stops. 

Proof. Remark that Alg. 1 makes calls to three functions, namely, Extend(-), Remove(-), 
and Alt (•, •), Clearly the first two terminate. Since we gave no algorithm to compute Alt (•), 
we will assume we employ one that terminates on every input. 

Now, observe that there is no loop in Alg. 1. Thus any non-terminating execution of 
Alg. 1 must perform a non-terminating sequence of recursive calls, which entails the existence 
of an infinite path in the call graph associated to the execution. Since, by Lemma 22, no 
infinite path exist in the call graph, Alg. 1 always terminates. < 
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B.3 Optimality 

► Lemma 24. Let &, 61 , 62 ,^ 31^4 ^ B be nodes of the eall graph sueh that 

b bi >* 63 and 6 62 >* 64. 

and sueh that {€ 3 , 03 , A 3 , 63 ) := 63 and (( 74 , 1 ? 4 , A 4 , 64 ) := 64 . Then C 3 + C^. 

Proof. Let {C,D,A,e) := 6 , {Ci,Di,Ai,ei) := 61 , and (( 72 ,£> 2 ,^ 2 , 62 ) := 62 . By (16) we 
know that e € (7i, and by (15) that e 6 C 3 . We show that e ^ ( 74 . By (17) we have that 
e 6 £> 2 ) and again by (15) that e € £> 4 . Since £>4 £ ea;(( 74 ), by (12), we have that e € ex{C 4 ), 
so ei C^. ■* 

► Corollary 25. The eall graph (B, o) is a finite binary tree, where >/ and respeetively 

the left-child and right-child relations. 

Proof. Corollary 23 states that the call graph is a finite directed acyclic graph. Lemma 24 
guarantees that for every node be B, the nodes reached after the left child are different from 
those reached after the right one. •* 

► Lemma 26. For any maximal configuration C ^ E, there is at most one node ((7, D, A, e) € 
B with C = C. 

Proof. By contradiction, assume there was two different nodes, 
b:={C,D,A,e) and b' := {C,D',A',e') 

in B such that the first component of the tuple is (7. The call graph is a binary tree, because 
of Corollary 25, so there is exactly one path from bo := ( 0 , 0 , 0 , eg) to respectively 6 and b'. 
Let 


60 > 61 > ... > 6 „_i > 6 „ and b'o \> b[ \> ... \> b'^_i \> b^ 

be the two such unique paths, with bn ■= 6 , b'n ■= b' and bo ■= 6 q := bo- Such paths clearly 
share the first node bo- In general they will share a number of nodes to later diverge. Let i 
be the index of the last node common to both paths, i.e., the maximum integer i > 0 such 
that 

(6o,6i,...,6,) = (6o,6'i,...,6') 

holds. Observe both paths necessarily diverge before reaching the last node, i.e., one cannot 
be a prefix of the other. This is because both 6 and 6 ' are leaves of the call graph, i.e., there 
is no 6" 6 B such that either b > 6" or &' > 6". As a result 6 i= 6' for any j € {0,..., m} and 
6 ' bj for any j e {0,..., n}. This means that i < min {n, m}. 

Let {Ci,Di,Ai,ei) ■■= bi. W.l.o.g., assume that bi >; bi+i and that 6 ' I>j. b^i. Now, using 
(16) and (15), it is simple to show that e (7. And using (17) and (15), that Ci e D'. Then, 
by (12) we get that Ci e ex{C), a contradiction to Ci eC. •< 

► Theorem 10 (Optimality). Let C be a maximal configuration ofU. Then Explore(•,•, •) 
is called at most once with its first parameter being equal to (7. 

Proof. By construction, every call to Explore((7, £), A) produces one node of the form 
{C,D,A,e), for some e € A, in the call graph associated to the execution. By Lemma 26, 
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there is at most one node with its first parameter being equal to C, so Explore (•,•, •) can 
have been called at most once with C as first parameter. 

Observe, furthermore, that the algorithm does not initiate what Abdulla et al. call 
sleep-set blocked executions [2]. These correspond, in our setting, to exploring the same 
configuration in both branches of the tree. Formally, our algorithm would explore sleep-set 
blocked executions iff it is possible to find some b e B such that the left and right subtrees 
of b contain nodes exploring the same configuration. By Lemma 24 this is not possible. ■* 

B.4 Completeness 

► Lemma 27. Let b := {C,D,A,e) e B be a node in the call graph and C Q E an arbitrary 
maximal configuration ofU such that C Q C and DnC = 0. Then exactly one of the following 
statements hold: 

K Either C is a maximal configuration ofU, or 
H e € C and b has a left child, or 
H e i C and b has a right child. 

Proof. The proof is by induction on b using a specific total order in B that we define now. 
Recall that {B, t>) is a binary tree (Corollary 25). We let < £ B x B he the unique in-order 
relation in B. Formally, < is the order that sorts, for every b e B, first all nodes reachable 
from b’s left child (if there is any), then b, then all nodes reachable from b’s right child (if 
there is any). 

Base case. Node b is the least element in B w.r.t. <. Then b is the leftmost leaf of the 
call tree, i.e., b^ b, and C is a maximal configuration. Then the first item holds. 

Step case. Assume that the result holds for any node b < b. If C is maximal, we are 
done. So assume that C is not maximal, and so that b has at least one left child. It e e C, 
then we are done, as the second item holds. 

So assume that e i C. The rest of this proof shows that the third item of the lemma 
holds, i.e., that b has right child. In particular we show that there exists some alternative 
J £ C such that J € Alt (C, D u {e}). 

We start by setting up some notation. Observe that any alternative J 6 Alt (C, D u {e}) 
needs to contain, for every event e' e Du {e}, some event e" e J u C in immediate conflict 
with e', cf. ( 6 ). In fact e" can be in J or in C. Those e' e D u {e} such that C already 
contains some e" in conflict with e' pose no problem. So we need to focus on the remaining 
ones, we assign them a specific name, we define the set 

F := {ci,... ,en} ■■= D \ cex(C) u {e}. 

Let Ci be any event in F. Clearly d e cex(C), as Ci e D £ ex(C), by (12), and so [e^] £C £C 
and Ci i C. Since Ci e cex{C) we can find some e' 6 (7 such that Ci e'. We can now define 
a set 

J := [{ei,...,e(,}] 

such that e' € C and Ci e' for i e {1,..., n}. Clearly J £C and J is causally closed, so it 
is a configuration. Observe that J is not uniquely defined, there may be several e' to choose 
for each Ci (some of the e( might even be the same). We take any e( in immediate conflict 
with Ci, the choice is irrelevant (for now). 

We show now that J € Alt (C, D u {e}) when function Alt (■) is called just before line 11 
during the execution of Explore (C, D,A). Let U be the set of events contained in variable U 
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of Alg. 1 exactly when Alt(-) is called. Clearly C u J is a configuration, so ( 6 ) holds. To 
verify (5), consider any event e e D u {e}. li e e D n cex{C) we can always find some e' e C 
with e' e If not, then e = for some i € {1,..., n} and we can find some e' e j such 

that Ci e'. In order to verify (5) we only need to check that e' € U. In the rest of this 
proof we show this. Observe that e' € C/ also implies that J Q U, necessary to ensure that J 
is an alternative to D u {e} after C when the function Alt(-) is called. 

In the sequel we show that J <^U. In other words, that event e', for i 6 {I,... ,n}, is 
present in set U when function klt(C,D u {e}) is called. The set U has been filled with 
events in function Extend(-) as the exploration of A/ advanced, some of them have been kept 
in U, some of them have been removed with Remove (■). To reason about the events in U 
we need to look at fragment of U explored so far. 

For i € {1,..., n} let bi := {Ci,Di, Ai, a) e B he the node in the call graph associated to 
event € F. These nodes are all situated in the unique path from bo to b. W.l.o.g. assume 
(after possible reordering of the index i) that 

bo bi >*62 t>* ... t>* bn 

where = 6 and e„ = e. First observe that for any i e {2,...,n} we have {ei,..., Ci-i} £ Di. 
Since every event is in D = Dm for i e {1,..., n - 1}, we know that the first step in the 
path that goes from bi to bi+i is a right child. In other words, the call to Explore(C^, Di,Ai) 
is right now blocked on the right-hand side recursive call at line 11 in Alg. 1 , after having 
decided that there was one right child to explore. For the shake of clarity, we can then 
informally write 

bo bi >r &2 >r • >r >* bn- 

We additionally define the sets of events 
Uo,Ui,...,Un£E 

as, respectively for i e {!,...,n}, the value of the variable U during the execution of 
Explore(Cj,Hi, Ai) just before the right recursive call at line 11 was made, i.e., the value 
of variable U when kltiCi, Di u {ci}) was called. For i = 0 we set Uo ■= { 1 } to the initial 
value of U. According to this definition we have that [/„ = U. 

To prove that J £ C/ = it is now sufficient to prove that e'i eUi, for i e {1,..., n}. This 
is essentially because of the following three facts. 

1. Clearly deUi. 

2. For any node b := {C, D, •, e) e B explored after bi and before bn it holds that Ci 6 D, by 
(15), and so every time function Remove(e, C, D) has been called, event has not been 
removed from U. 

3. Any event in immediate conflict with Ci will likewise not be removed from set U as long 
as Ci remains in D, for the same reason as before. 

In other words, e' e Ui implies that e' e t7„, for i e {1,..., n}. 

We need to show that e' e Ui, for i e {!,...,n}. Consider the configuration C £ E 
defined as follows: 

C' :=Cu{eJufe']. 

First, note that C is indeed a configuration, since it is clearly causally closed and there is 
no conflict: Ci 6 en{C) and C u [e'] £ (7 and [ci] u [e'] is conflict-free (because Ci and e' 
are in immediate conflict). Remark also that Di £ ex{C') and that e' e cex{C'). We now 
consider two cases: 
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H Case 1 : there is some maximal configuration C" 2 C such that Di n C” = 0. We show 
that C" have been visited during the exploration of the left subtree of hi. In that case, 
since e- e cex{C") and e C", Alg. 1 will have been appended e- to U during that 
exploration, and will remain in U at least as long as tt is in D. 

To show that C" has been explored, consider the left child &' := (C'iU{ei},Z3i,-,-) of hi. In 
that case, since hi < b (recall that b is in the right subtree of 6^), clearly every node he B 
in the subtree rooted at b'i (i.e., &' t>* h) is such that b < bi < b. This means that the 
induction hypothesis applies to b. So Lemma 28 applied to b'i and C" shows that C” 
has been explored in the subtree rooted at b'i- As a result e' e Ui and e' e C/„, what we 
wanted to prove. 

H Case 2: there is no maximal configuration C" 2 C such that Di n C" = 0. In other 
words, any maximal configuration C" 2 C is such that Di n C" + 0. Our first step is 
showing that this implies that 

3j € {1,... - 1} such that #(ei) r\C 2 #(ej) n C. (18) 

Let C” 3 C" be a maximal configuration. Then Di n C” + 0. This implies that Di n 
en{C)r\C" + 0, as necessarily DinC" £ en{C). Observe that Dinen{C) = {ei,... ,ei_i}, 
so we have that {ei,..., ei-i} n C" + 0. Consider now the following two sets: 

Ai:=C'N#(ei) and X2 ■■= Xi u {a}. 

Observe now the following. We can find a maximal configuration C'" 2 Xi satisfying 
that Di n C'" = 0 (for instance, take C" := C). But, because C £ X2, we cannot 
find any C'" 2 X2 satisfying that Di n C'" = 0. This implies that for any C'" 2 X2 
we have {ei,..., ei_i} nC'" + 0. Based on the last statement we can now prove (18) 
by contradiction. Assume that (18) does not hold. Then for any j € {1 ,... - 1}, one 

could find some event e 6 #(ej) n C such that e ^ #(ei) n C. Then e ^ #(ei) and as 
a result e € Ai £ A2. This now would mean that for any j € {l,...,i-l} it holds 
that #{ej) nX2 + 0 . This implies that any maximal configuration C'" extending X2 is 
such that {ei,..., ei_i} n C'" = 0. This is a contradiction, so the validity of (18) is now 
established. 

According to (18) there might be several integers j € {1,..., i - 1} such that #(ei) r\C 2 
^{cj) nC holds. Let m be the minimum such j, and consider the following set: 


A3 — Ai u u . 


We will now prove that X3 is a configuration and it has been visited during the explo¬ 
ration of the subtree rooted at the left child of bm- We first establish several claims 
about A3: 

_ Fact 1: set A3 is causally closed. Since Ai is causally closed, clearly Ai u [e(„] is 
causally closed. Now, since {ei,em} £ en(C), we have that #(ei) n C = 0, and as a 
result \em] £ C £ Ai £ A3. 

- Fact 2: set X3 is conflict free. Since Ai u £ C, there is no pair of confiiting 
events in Xi u \e'^]. Consider now Cm- Since Cm and e'^ are in immediate conflict, by 
definition Cm has no confiicth with any event in [e(^]. Consider now any event e e Xi. 
Observe that eeC. If e e then by (18) we have that e e #(ei), which implies 

that e i Ai. So Cm has no conflict with any event in Xi. 

_ Fact 3: it holds that Cm u {cm} £ A3. Since Cm £ C, by (16), and C £ Ai £ A3, we 
clearly have that Cm £ A3. Also, e™ € A3 by definition. 
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- Fact 4: it holds that X 3 n Dm = 0- By (12) and (15) we know that Dm £ -D £ ex{C). 
Since the sets en{C) and cex(C) partition ex(C) we make the following argument. 
For any e e Dm n cex{C) we know that e i X 3 , as C £ X 3 . As for Dm n en{C) we 
have that Dm n en(C) = {ei,..., em-i}- So for any j e {1,..., m - 1}, because of the 
minimality of m, we know that #(ei) nC 2 #(ej) n C does not hold. In other words, 
we know that there exists at least one event e e #(ej) n C such that e i n C. 

This implies that e i #(ei), and as a result e e Ai £ A 3 . So, for any event in Dm 
there is at least one conflicting event in A 3 , and A 3 is a configuration. Therefore 
A 3 n Dm = 0 . 

To show that A 3 has been explored in the subtree rooted at bm, consider the left 
child b'm ■= {Cm'~>{em}, Dm,-y ■) of bm- The induction hypothesis applies to any node be B 
in the subtree rooted at b'^ (i.e., b'm t>* b)- This is because b < b'^ < bm < b. By the 
first two facts previously proved, we know that A 3 is a configuration. The last two facts, 
together with the fact that the induction hypothesis holds on the subtree rooted at b'm, 
imply, by Lemma 28, that some maximal configuration C" 2 A 3 has been explored in 
the subtree rooted at b'm- Since Cm £ A 3 and e'm £ cea;(A 3 ) £ cex(C"), we know that e'm 
have been discovered at least when exploring C". Since Cm ^'m Cm is in set D we 
also know that Remove (•) cannot remove e'm from U before Cm is removed from D. This 
implies that e'm £ Um, but also that e'm^Un- 

Now, our goal was proving that e' e Un- Since e'm £ #(ei), by (18), there is some 
e € #*(ei) such that e< e'm- Since Un is causally closed, we have that e e [/„. 

We have found some event eeUn such that e. If e e', then we substitute e' in J 
by e. This means that in the definition of J we cannot chose any arbitrary e' from C (as 
we said before, to keep things simple). But we can always find at least one event in C that 
is in immediate conflict with and is also present in ?7„. Observe that the choice made 
for ei, with i e { 1 ,..., n} has no consequence for the choices made for j e { 1 ,..., i - 1 }. 
This means that we can always make a choice for index i after having made choices for 
every j < i- 

This completes the argument showing that every e( (possibly modifying the original 
choice) is in U, and shows that J 2 U. This implies, by construction of J, that J € 
Alt (C, D u {e}) when the set of events U present in memory equals U. As a result, Alg. 1 
will do a recursive call at line 11 and b will have a right child. This is what we wanted to 
prove. ■* 

► Lemma 28. For any node b := {C,D,-,e) e B in the call graph and any maximal configu¬ 
ration C 2 E of Li, if C 2 C and D nC = 0 and Lemma 21 holds on all nodes in the subtree 
rooted at b, then there is a node b' := {C, ■,-,■) e B such that b >* b', and C = C. 

Proof. Assume that Lemma 27 holds on any node b" € B such that b >* b", i.e., all nodes 
in the subtree rooted at b. Since C 2C and DnC = 0, we can apply Lemma 27 to b and C. 
If C is maximal, then clearly C = C and we are done. If not we consider two cases. If e € (7, 
then by Lemma 27 we know that b has a left child bi := {Ci,Di,-,ei), with Ci '-= C u {e} 
and Di •■= D. Finally, ii e i C, then equally by Lemma 27 we know that b has a right 
child 61 := (Cl,Hi,-, 61 ), with Ci := C and Di := Hu{e}. Observe, in any case, that Ci £ C 
and Hi n C = 0 . 

If Cl is maximal, then necessarily Ci = C, we take b' := bi and we have finished. If not, 
we can reapply Lemma 27 at bi and make one more step into one of the children 62 of bi. 
If C 2 still not maximal (thus different from C) we need to repeat the argument starting 
from 62 only a finite number n of times until we reach a node bn '-= {Cn, Dn,-,-) where C„ 
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is a maximal configuration. This is because every time we repeat the argument on a non- 
maximal node bi we advance one step down in the call tree, and all paths in the tree are 
finite. So eventually we find a leaf node where Cn is maximal and satisfies Cn £ C. This 
implies that Cn = C, and we can take h' ■= ■* 

► Theorem 11 (Completeness). Let C be a maximal configuration of Li. Then Explore (•,•, •) 
is called at least once with its first parameter being equal to C. 

Proof. We need to show that for every maximal configuration C £ E we can find a node 
b'.= {C, ■,■,■) in B such that C = C. This is a direct consequence of Lemma 28 . Consider the 
root node of the tree, 6o := (C, U, A,±), where C = {l} and D = A = 0. Clearly C £C and 
D n C = 0, and Lemma 27 holds on all nodes of the call tree. So Lemma 28 applies to C 
and bo, and it establishes the existence of the aforementionned node b. ■* 

B.5 Memory Consumption 

The following proposition establishes that Alg. 1 cleans set U adequately, and that after 
finishing the execution of Explore (C, D, A) , set U has the form described by the proposition. 

► Proposition 29 . Assume the function Explore (C,D, A) is eventually called. LetU andU 

be, respectively, the values of set U in Alg. 1 immediately before and immediately after 
executing the call. If Qq q EU E Qq p u en{C), then U = ^ p. 

Proof. Let b := {C, D, A,e) e B be the node in the call tree associated to the call to 
Explore (C, H, A) . The proof is by induction on the length of the longest path to a leaf 
starting from b (in the subtree rooted at b). 

Base case. The length is 0 , b is leaf node, and C is a maximal configuration. Then 
en(C') = 0, so f/ £ Qq ^ p. By hypothesis Qq q, jy eU also holds, so U = Qq ^ p. Now, the 
call to Extend(C) adds to U only events from cex{C). So at line 4 , clearly JJ = Qq ^ p. 

Step case. Let Ui := U be the value of set U immediately before the call to the function 
Explore (C, H, A). Let U2 be the value immediately before Alg. 1 makes the first recursive 
call, at line 9 ; U3 the value immediately after that call returns; C/4 immediately after the 
second recursive call returns; and U5 := U immediately after the call to Explore (C, H, A) 
returns. Assume that Qc,d,Ui E Ui E Qc,d,Ui u en{C) holds. Let C' := C u {e}. We first 
show that 

Qc’,d,U2 EU2E Qc’,d,U2 u en{C') 

holds. This ensures that the induction hypothesis applies to the first recursive call, at line 9 , 
and guarantees that C/3 = Qc',0,1/3 ■ 

Let e be an event in Qc'.o.u^- We show that e 6 C/2. First, remark that C/2 = C/i u ex{C). 
IfeeCuZ/cC/iE C/2, we are done. If e = e, then clearly e € ex{C) £ C/2. Otherwise e is in 
[ei] for some 64 e C/2 such that there is some 62 e C" u O with ei 62. Since celarly C/2 is 
causally closed and ei e C/2, we have that e e C/2. 

Let e be now an event in C/2. We show that e e Qc',d,U2 en{C'). If e € C/i, the clearly 
e 6 Qc’,d,U2 (esentially because Ui £ C/2). So assume that e e C/2 \ C/i = ea;(C). Now, observe 
that ea;(C') £ {e}uea;(C"). We are done if e e {e}uen(C"), so assume that e e cex{C'). Since 
C £ C/2 and e e C/2, by definition we have e e Qc',d,U2- This shows that e e Qc',d,U2'-‘^^{^')- 
Then by induction hypothesis we have that C/3 = Qc, 0,1/3 immediately after the recursive 
call of line 9 returns. Function Alt(-) does not update U, so when the second recursive call 
is made, line 11, clearly 

Qc,o',U3 EU3E Qc,o',U3 u en{C) 
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holds, with D' ■■= Du {e}. This is obvious after realizing the fact that 


Qcu{e},D,U3 - Qc,Du{e},U3- 

So the induction hypothesis applies to the second recursive call as well, and guarantees that 
Ua = Qc,Du{e},U4 holds immediately after the recursive call of line 11 returns. 

Recall that our goal is proving that U5 = Qc,d,U3- The difference between U4 and U5 are 
the events removed by the call to the function RemoveCe, C, H). Let R be such events (see 
below for a formal definition). Then we have that U5 = U4\ R. In the sequel we show that 
the following equalities hold: 


U5 = U4 \ R = Qc,Du{e},U4 '' R = Qc,D,U4 = Qc,D,U5 


( 19 ) 


Observe that these equalities prove the lemma. In the rest of this proof we prove the various 
equalities above. 

To prove ( 19 ), first observe that the events removed from U by Remove (e, C, I?), called 
R above, are exactly 


/ 


\ 


R:= 


{e}u U [e'l 

^ (e) ^ 


^ Qc,D,Ui- 


( 20 ) 


This is immediate from the definition of Remove (■). Now we prove two statements, ( 21 ) 
and ( 22 ), that imply the validity of ( 19 ). We start stating the first: 


Qc,D\j{e},Ui ^ R = Qc,d,U4.- 


( 21 ) 


This equality intuitively says that (left-hand side) executing Remove (e, C, D) when the set U 
contains the events in U4 (remember that U4 = Qc,Du{e},U4) leaves in U exactly (right-hand 
side) all events in C, all events in D, and all events that causally precede some other event 
from U (in fact, U4) which is is conflict with some event in C u D. For the shake of clarity, 
unfolding the definitions in (21) yields the following equivalent equality: 


CuDu{e]u U [e"] 

e'eCuDu{e} 

(®') ! 


// 

\ 


{e}u 

U [e'] 

^ Qc, 0 ,U 4 




Qc,D,Ui 


We now prove ( 21 ). Let e be an event contained in the left-hand side. We show that e is in 
Qc,d,U4- We are done if e € C u D. If e = e, then e ^ R. Now, from the definition ( 20 ) of R 
we get that e € Qc,d,U4- Lastly, if e ^ Cu D u {e}, then there is some event e' e Cu Du {e} 
and some event e" € U4 such that e' e" and e < e". If e' 6 C u ZD, then by defnition 
e s Qc,d,U4- The case that e' = e cannot happen, as we show now. Since e is in the left-hand 
side, e is not in R. If e ^ R, then e is either in Qc,0,1/4, we wanted to show, or e is not 
in {e} u (e)[e]- This means that e' t e. 

For the opposite direction, let e be an event in Qc, 0,1/4- We show that it is contained 
in the left-hand side set. By definition e ^ R. li e e C u D, clearly e is in the left-hand side. 
If not, then there is some event e' e C u D and some event e" e U4 such that e' e" and 
e < e". Then by definition e is in the left-hand side. This completes the proof of ( 21 ). 

The second statement necessary to prove ( 19 ) is the following: 


Qc,o,U 4 = Qc,o,U 5 


( 22 ) 
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From left to right. Assume that e e Qc,D,Ui- Routinary if e e C u D. Assume otherwise 
that there is some ei e C u D and 62 e (ei) such that e e [62]. We show that 62 e U5, 
which clearly proves that e e Qc,d,U5- By definition 62 e U4. By ( 20 ), clearly 62 i R, as 
62 6 Qc,D,Ui- Since C/5 = C/4 \ i? we have that 62 e C/5. 

From right to left the proof is even simpler. Assume that e e Qc,D,Ui- Routinary if 
e € C u D. Assume otherwise that there is some ei € C u D and 62 € such that 

e 6 [62]. Since C/5 £ C/4, clearly 62 6 C/4 and so 62 € Qc,d,Ua- Then e 6 Qc, 0,1/4, the latter 
is causally closed. •< 

C I Proofs: Improvements 
C.l Completeness with Cutoffs 

In § 5.2 we describe a modified version of Alg. 1 , where the Extend procedure has been 
replaced by the Extend’ procedure. The updated version uses a predicate cutofF(e, C/, G) to 
decide when an event is added to U. We refer to this version as the updated algorithm. 

Like Alg. 1 , the updated algorithm also explores a binary tree. It works by, intuitively, 
'’’’allowing" Alg. 1 to “see” only the non-cutoff events. The terminal configurations it will 
explore, i.e., those at which the procedure enCC) of Alg. 1 returns an empty set, will be 
those for which any enabled event in en(C') has been declared a cutoff. 

Many properties remain true in the updated algorithm, e.g.. Lemma 18 . Consider the 
set of terminal configurations explored by the updated algorithm, and let us denote them 

by 


C'i,C'2,...,C„. 

Let V ’■= (//',<',#') be the unique prefix of U whose set of events E' equals Ui<i<nC'i- 
Whenever Alg. 1 is applied to an acyclic state-space (all executions terminate), the following 
properties hold: 

^ V'=U’, 

iti. Each configuration Ci is a maximal configuration of V' . 

However, when we apply the updated algorithm to an arbitrary system (with possibly non¬ 
terminating executions), none of these properties remain valid in general. Obviously the first 
one will not be valid, e.g., if lA is infinite, this was expected and intended. The second prop¬ 
erty will also not be valid in general, essentially because one event could be declared as cutoff 
when exploring one configuration and as non-cutoff when exploring another configuration. 
We illustrate this with an abstract example. 

► Example 30. Assume that lA is infinite and has only two maximal (infinite) configurations. 
The updated algorithm will explore the first until reaching some first terminal (and finite) 
configuration Ci where all events in en(C'i) have been declared as cutoffs. Let e be one of 
those cutoffs in en(C'i), and e' the corresponding event in C/ u C?. The algorithm will then 
backtrack, and start exploring the second configuration. It could then very well reach a 
configuration that enables e. The updated algorithm will have to re-decide whether e is a 
cutoff. If it decides that it is not, e.g., because the corresponding event e' has been discarded 
from [/ u G, it could add e to G, and so the second maximal configuration G2 explored in 
this way will contain some event enabled by Gi. This implies that Gi is not a maximal 
configuration of the prefix V'. 
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This means essentially that proving that V' is a complete prefix [5] is not a valid strategy 
for proving Theorem 12, since potentially there exists configurations C of V' such that 
C ^Ci for any 1 <i <n. 

Alternatively, we could try to reason using a variant of McMillan’s standard argument [14, 
5,3] (largely used in the literature about unfoldings for proving that some unfolding prefix 
is complete). Given a state s e reach{M), we want to show that there is some configuration 
C such that 

state{C) = s and C £Ci for some 1 < i < n. (23) 

We know that U contains some configuration C' such that state(C') = s. If C satisfies (23) 
we are done. If not, the usual argument now finds that C has a cutoff event, but this does 
not work in our context: we can easily show that some maximal configuration of V' enables 
some event in C' but not in V' (the wished cutoff), but there is no guarantee that that 
maximal configuration is one of the CiS above, so there is no guarantee that the updated 
algorithm has explicitly declared that event as cutoff. 

As a result, we resort to a completely different argument. The main idea is simple. We 
divide the set of events in V' in two parts, the red events and the blue events. Red events 
are such that the updated algorithm never declares them cutoff, blue events have at least 
been declared once cutoff and once non-cutoff. We next show two things. First, that the 
red events contain one representative configuration for every reachable marking (contain a 
complete prefix). Second, that every configuration formed by red events has been explored 
by the updated algorithm. Together, these implies Theorem 12. 

We start with two definitions. 

H Let the red prefix be the unique prefix Vi ■= {Ei,<,ff) of U formed by those events e 

added at least once to U by the updated algorithm and such that every time Extend’ 

evaluated the predicate cutofF(e, 17, G), the result was false. 

H Let the blue prefix be the unique prefix V 2 ■= (7?2) <> #) of U such that E := Ui<i<n Q- 
Observe that 7*2 is in fact what we called V' so far. Notice also that Ei £ E 2 . 

In § 5.2 we defined the cutofF(-) predicate using McMillan’s size order. Here we redefine 
it to use an arbitrary adequate order. This allows us to prove a more general version of 
Theorem 12. Let < be an adequate order (we skip the definition, the interested reader can 
find it in [5]) on the configurations of U. We define cutofF(e, 17, G) to hold iff there exists 
some event e' € 17 u G such that 

state{[e]) = state{[e']) and [e'] < [e]. (24) 

The size order from McMillan, which we used in § 5.2 is indeed adequate [5]. 

We now need to define the canonical prefix associated with < (we refer the reader to [4] , 
to avoid increasing the limited space in the References section, although a better reference 
would be [Khomenko, Koutny, Vogler 2002]). We give a simplified definition. Given a event 
e 6 A, we call it <-cutoff iff there exists some other event e' e E such that (24) holds. 
Observe that we now search e' in E and not in 17uG. The <-prefix is the unique ^-maximal 
unfolding prefix that contains no <-cutofF. It is well known [4] that, (1) the <-prefix exists and 
is unique, (2) it is marking-complete, i.e., for every s e reach{M), there is some configuration 
G in <-cutofF such that state{C) = s. 

The key observation now is that all events in <-prefix are red, i.e., the <-prefix is a prefix 
of Vi. Glearly, regardless of the actual contents of U and G when cutofF(e, U, G) is evaluated, 
the result will always be false if e is not <-cutofF. 
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So, in order to prove Theorem 12, it suffices to show that every red configuration from 
Vi is contained in some node explored the algorithm. We achieve this with Lemma 31 and 
Lemma 32. 

► Lemma 31. Let b := {C,D,A,e) e B be a node in the call graph and C £ Ei an arbitrary 
red configuration in Vi, such that the following two conditions are verified: 

1. C 'J C is a configuration, and 

2. for any e€ D there is some e' € C such that e e'. 

Then exactly one of the following statements hold: 

H Either b is a leaf node in B, or 

H for any e€ C we have -•{e e) and b has a left child, or 

H for some e € C we have e e and b has a right child. 

Proof. The statement of this lemma is very similar to the one of Lemma 27, the main lemma 
behind the proof of Theorem 11 (completeness). Consequently the proof is also similar. The 
proof is by induction on b using the same total order < & B x B that we employed for 
Lemma 27. 

Base case. Node b is the least element in B w.r.t. <. It is therefore the leftmost leaf of 
the call tree. Then the first item holds. 

Step case. Assume that the result holds for any node b < b. If C is maximal, we are 
done. So assume that C is not maximal. Then b has at least one left child. If we can find 
some e e C such that e e, then the second item holds and we are done. 

So assume that that for some e e (7 it holds that e e. We show that the third item 
holds in this case. For that we need to show that b has a right child. The rest of this proof 
accomplishes that, it shows that there is some alternative J e AltCC, Du {e}) whenever the 
algorithm asks for the existence of one. 

We define the set 


F:= {ei,...,e„} := Du{e}. 

This set contains the events that the alternative J needs to justify. Let Ci be any event in F. 
By hypothesis there exists some e' 6 C such that Ci e'. Thus, there exists at least one set 

J := [{e'i,...,e(,}] 

where e' 6 (7 and e' for i e {1,..., n}. Clearly, J £ C and so it is a red configuration 

of Vi. We remark that J is not uniquely defined, there may be several e' to choose for 
each Ci. For now, take any suitable e' without further regard. We will later refine this 
choice if necessary. 

We show now that J e Alt ((7, D u {e}) when function Alt (•) is called just before line 11 
during the execution of Explore (C, 77, A). Let U be the set of events contained in the 
variable U exactly when Alt(-) is called. 

By construction J u (7 is configuration, and contains an event in conflict with any event 
in 77 u {e}. We only need to check that J £U, i.e., that all events in J were are known (in 
fact, remembered) when function Alt(-) is called. 

We reason about the call stack when the algorithm is situated at b = (C, 77, A, e). For i € 
{1,..., n} let bi := {Ci,Di,Ai, e^) € 77 be the node in the call graph associated to event € F. 
These nodes are all situated in the unique path from bo to b. W.l.o.g. assume (after possible 
reordering of the index i) that 


bo 5 i 62 bn, 
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where bn = b and = e. Since every event is in Z) = Z?„, for i e {1,..., n - 1}, we know 
that the first step in the path that goes from bi to bi+i is a right child. Also, we remark that 
by construction we have {ei,..., Ci-i} = Di for every i e {2 ,..., n}. 

We need to show that e' 6 C/, for i € {1,..., n}. We consider two cases. Consider the set 
Di = {ei,..., Ci-i}. Only two things are possible: either there exists some j € {1,...,*-!} 
such that 

#(e,)nCc#(e,)nC (25) 

holds, or for all j e {1 ,..., i - 1} the above statement is false. 

H Case 1: for all j e {1,..., i - 1} we have that (25) do not hold. This means that for all 
such j, some event in #(ej) n C is not in #(ei) n C. Consider the set 

:=Cx#(eO. 


It is a red configuration of Vi, which satisfies the following properties: 

_ Fact 1: set Xi uCiU {ci} is a configuration. Since Xi u Ci £ C u C, clearly Xi u Ci is 
a configuration. Also, Xi has no event in conflict with by construction. 

- Fact 2: for any e € Di there is some e! € Xi such that e ff’’ e'. This holds by 
construction. For any e € Di = {ei ,..., e^-i} we know that some event in ff{e) n C is 
not in ff{ei) nC, so it is necessarily in Xi. 

Consider the left child b[ := {Ci u {ei},Di,-,-) of hi. Every node b in the subtree rooted 
at b'i (i.e., >* b) is such that b < bi < b. The induction hypothesis thus applies to b. 

By the previous facts. Lemma 32 applied to bi and Xi implies that some leaf (maximal) 
configuration C 3 Xi has been explored in the subtree rooted at 5'. Since e' is a red 
event (it will never be declared cutoff) and e' e ea;(C''), event e( will be discovered when 
exploring C, and will be kept in U as long as remains in U. As a result e( e t/, which 
we wanted to prove. 

H Case 2: there is some j 6 1 } such that (25) holds. Let m be the minimum 

such integer. Consider the set X 2 defined as 


X 2 :=Cx#(e.)u[eJ 

It is clearly a subset of C, so it is a red configuration of Vi , and it satisfies the following 
properties: 

_ Fact 3: set A 2 uC'mU{em} is a configuration. Since X 2 uCm £ CuC, clearly X 2 uCm 
is a configuration. Also, X 2 has no event in conflict with Cm, since all such events are 
in ff{ei) and we have removed them. Observe that by adding we do no add any 
conflict, as there is no conflict between Cm and any event of [e(„]. 

_ Fact 4- for any e € D^n there is some e' € X 2 such that e e'. This holds by 
construction, as a result of the minimality of m. For any e e Dm = {ci,..., Ci-m} we 
know that (25) do not hold for e. So some event in ff{e) n (7 is not in ff{ei) n C, and 
so it is necessarily in X 2 . 

Like before, consider now the left child b'm ■= {Cm u {em},Dm,-r) of bm- The induction 
hypothesis applies to any node b e B in the subtree rooted at b'm (i.e., b'm >* b). By 
the previous facts. Lemma 32 applied to b'm and X 2 implies that some leaf (maximal) 
configuration C' 3 X 2 has been explored in the subtree rooted at b'm. Since e'm is a red 
event (it will never be declared cutoff) and e'm 6 ex{C'), event e'm will be discovered 
when exploring C', and will be kept in U as long as Cm remains in U. Asa result e'm ^ U. 
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We actually wanted to prove that e' is in tj. This is now easy. Since e #(ei), by (25), 
there is some e e #*(ei) such that e< e'^. Since U is causally closed, we have that eeU. 
We have found some event e eU such that ei e. If e e', then we substitute e' in J 
by e. This means that in the definition of J we cannot chose any arbitrary e' from C (as 
we said before, to keep things simple). But we can always find at least one event in C that 
is in immediate conflict with Ci and is also present in U. Observe that the choice made 
for Bi, with i 6 { 1 ,..., n} has no consequence for the choices made for j 6 
This means that we can always make a choice for index i after having made choices for 
every j <i. 

This completes the argument showing that every e( (possibly modifying the original 
choice) is in U, and shows that J £ U. This implies, by construction of J, that J € 

Alt (C, D u {e}) when the set of events U present in memory equals U. As a result, the 

algorithm will do a right recursive call and b will have a right child. This is what we wanted 
to prove. ■* 

► Lemma 32. Let b ■= {C,D,-,e) e B be any node the call graph. Let C ^ Ei be any 

configuration ofVi, i.e., consisting only of red events. Assume that 

H C u C is a configuration; 

H for any ee D there is some e' e C such that e e'; 

H Lemma 31 holds on every node in the subtree rooted at b. 

Then there exist in B a node b' := {C', ■,■,■) such that b [>* b' and C £ C. 

Proof. Assume that Lemma 31 holds on any node b" e B such that b t>* 6 ", i.e., all nodes in 
the subtree rooted at b. By hypothesis we can apply Lemma 31 to 6 and C. If C is maximal, 
i.e., the algorithm do not find any non-cutoff extension of C, then we have that (7 £ C, as 
otherwise any event in (7 \ C would be non-cutoff (as it is red) and would be enabled at C 
(because (7 u C is a configuration). So if 6 is a leaf, then we can take b' '■= b. 

If not, then e is enabled at C and there is at least a left child. Two things can happen 
now. Either e is in conflict with some event in (7 or not. 

If e is not in conflict with any event in (7, then the left child bi ■= ((7i,Z?i,•,ei), with 
Cl := Cu {e} and Di := D, is such that Ci u (7 is a configuration, and C contains some event 
in conflict with every event in Di. Furthermore Lemma 31 applies to bi as well. 

If e is in conflict with some event in C, then by Lemma 31 we know that b has a right 
child bi ■■= (Cl, Cl,-, ei), with Ci := C and Di := Cu{e}. Like before, CiuC is a configuration 
and for any event in Di we have another one in C in conflict with it. 

In any case, if Ci is maximal, then it holds that C £ Ci and we are done. If not, we can 
reapply Lemma 31 at bi and make one more step into one of the children 62 of 61 . If C 2 
still do not contain C, then we need to repeat the argument starting from 62 only a finite 
number n of times until we reach a node bn ■= (C„, C„, - , •) where has no further children 
in the call tree (i.e., en{Cn) is either empty or contains only cutoff events). This is because 
every time we repeat the argument on a non-leaf node bi we advance one step down in the 
call tree, and all paths in the tree are finite. So eventually we find a leaf node 6 „, which, as 
argued earlier, satisfies that C £ C„, and we can take b' := bn. < 

► Theorem 12 (Completeness). For any reachable state s 6 reach{M), Alg. 1 updated with 
the cutoff mechanism described above explores one configuration C such that for some C' £ C 
it holds that state{C') = s. 
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Proof. Let V be an unfolding prefix constructed with the classic saturation-based unfolding 
algorithm, using the standard cutoff strategy in combination with an arbitrary adequate 
order <: an event e is a classic-cutoff if there is another event e' in IAm such that state{[e]) = 
state([e']) and [e'] < [e]. By construction all events in V are red, so they are in Vi- 

Let {B, t>) be the call tree associated with one execution of Alg. 1 retrofitted with the 
cutoff mechanism. Let s e reach{M) be an arbitrary state of the system. Owing to the 
properties of Vm [5], there is a configuration C in V such that state{C) = s. Such a 
configuration is in Vi- 

Now, Lemma 32 applies to the initial node bg e B and C, and guarantees that the 
algorithm will visit a node b ■= (C, •,•,•) e B such that such that C £ C. This is what we 
wanted to prove. ■* 


